webapp: Use securemem for constant time auth token comparisons.
Debian stable does not have securemem, but neither does it have warp-tls, so just disable use of securemem when not building with https support.
This commit is contained in:
Joey Hess
parent
ea0138d8a1
commit
66b8b9c094
9 changed files with 63 additions and 33 deletions
|
|
@ -73,7 +73,7 @@ webAppThread assistantdata urlrenderer noannex cannotrun postfirstrun listenhost
|
|||
#endif
|
||||
webapp <- WebApp
|
||||
<$> pure assistantdata
|
||||
<*> (pack <$> genRandomToken)
|
||||
<*> genAuthToken
|
||||
<*> getreldir
|
||||
<*> pure staticRoutes
|
||||
<*> pure postfirstrun
|
||||
|
|
@ -125,7 +125,7 @@ myUrl tlssettings webapp addr = unpack $ yesodRender webapp urlbase DashboardR [
|
|||
|
||||
getTlsSettings :: Annex (Maybe TLS.TLSSettings)
|
||||
getTlsSettings = do
|
||||
#ifdef WITH_WEBAPP_HTTPS
|
||||
#ifdef WITH_WEBAPP_SECURE
|
||||
cert <- fromRepo gitAnnexWebCertificate
|
||||
privkey <- fromRepo gitAnnexWebPrivKey
|
||||
ifM (liftIO $ allM doesFileExist [cert, privkey])
|
||||
|
|
|
|||
|
|
@ -14,6 +14,7 @@ import Assistant.WebApp.Types
|
|||
import Assistant.Common
|
||||
import Utility.NotificationBroadcaster
|
||||
import Utility.Yesod
|
||||
import Utility.WebApp
|
||||
|
||||
import Data.Text (Text)
|
||||
import Control.Concurrent
|
||||
|
|
@ -36,7 +37,7 @@ newNotifier getbroadcaster = liftAssistant $ do
|
|||
webAppFormAuthToken :: Widget
|
||||
webAppFormAuthToken = do
|
||||
webapp <- liftH getYesod
|
||||
[whamlet|<input type="hidden" name="auth" value="#{secretToken webapp}">|]
|
||||
[whamlet|<input type="hidden" name="auth" value="#{fromAuthToken (authToken webapp)}">|]
|
||||
|
||||
{- A button with an icon, and maybe label or tooltip, that can be
|
||||
- clicked to perform some action.
|
||||
|
|
|
|||
|
|
@ -22,6 +22,7 @@ import Assistant.DaemonStatus
|
|||
import Assistant.Types.Buddies
|
||||
import Utility.NotificationBroadcaster
|
||||
import Utility.Yesod
|
||||
import Utility.WebApp
|
||||
|
||||
import Data.Text (Text)
|
||||
import qualified Data.Text as T
|
||||
|
|
@ -64,7 +65,7 @@ notifierUrl route broadcaster = do
|
|||
[ "/"
|
||||
, T.intercalate "/" urlbits
|
||||
, "?auth="
|
||||
, secretToken webapp
|
||||
, fromAuthToken (authToken webapp)
|
||||
]
|
||||
|
||||
getNotifierTransfersR :: Handler RepPlain
|
||||
|
|
|
|||
|
|
@ -41,7 +41,7 @@ mkYesodData "WebApp" $(parseRoutesFile "Assistant/WebApp/routes")
|
|||
|
||||
data WebApp = WebApp
|
||||
{ assistantData :: AssistantData
|
||||
, secretToken :: Text
|
||||
, authToken :: AuthToken
|
||||
, relDir :: Maybe FilePath
|
||||
, getStatic :: Static
|
||||
, postFirstRun :: Maybe (IO String)
|
||||
|
|
@ -52,11 +52,11 @@ data WebApp = WebApp
|
|||
|
||||
instance Yesod WebApp where
|
||||
{- Require an auth token be set when accessing any (non-static) route -}
|
||||
isAuthorized _ _ = checkAuthToken secretToken
|
||||
isAuthorized _ _ = checkAuthToken authToken
|
||||
|
||||
{- Add the auth token to every url generated, except static subsite
|
||||
- urls (which can show up in Permission Denied pages). -}
|
||||
joinPath = insertAuthToken secretToken excludeStatic
|
||||
joinPath = insertAuthToken authToken excludeStatic
|
||||
where
|
||||
excludeStatic [] = True
|
||||
excludeStatic (p:_) = p /= "static"
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue