webapp: Use securemem for constant time auth token comparisons.

Debian stable does not have securemem, but neither does it have warp-tls,
so just disable use of securemem when not building with https support.
This commit is contained in:
Joey Hess 2014-03-12 21:21:10 -04:00
parent ea0138d8a1
commit 66b8b9c094
9 changed files with 63 additions and 33 deletions

View file

@ -22,6 +22,7 @@ import Assistant.DaemonStatus
import Assistant.Types.Buddies
import Utility.NotificationBroadcaster
import Utility.Yesod
import Utility.WebApp
import Data.Text (Text)
import qualified Data.Text as T
@ -64,7 +65,7 @@ notifierUrl route broadcaster = do
[ "/"
, T.intercalate "/" urlbits
, "?auth="
, secretToken webapp
, fromAuthToken (authToken webapp)
]
getNotifierTransfersR :: Handler RepPlain

View file

@ -41,7 +41,7 @@ mkYesodData "WebApp" $(parseRoutesFile "Assistant/WebApp/routes")
data WebApp = WebApp
{ assistantData :: AssistantData
, secretToken :: Text
, authToken :: AuthToken
, relDir :: Maybe FilePath
, getStatic :: Static
, postFirstRun :: Maybe (IO String)
@ -52,11 +52,11 @@ data WebApp = WebApp
instance Yesod WebApp where
{- Require an auth token be set when accessing any (non-static) route -}
isAuthorized _ _ = checkAuthToken secretToken
isAuthorized _ _ = checkAuthToken authToken
{- Add the auth token to every url generated, except static subsite
- urls (which can show up in Permission Denied pages). -}
joinPath = insertAuthToken secretToken excludeStatic
joinPath = insertAuthToken authToken excludeStatic
where
excludeStatic [] = True
excludeStatic (p:_) = p /= "static"