webapp: Use securemem for constant time auth token comparisons.

Debian stable does not have securemem, but neither does it have warp-tls,
so just disable use of securemem when not building with https support.
This commit is contained in:
Joey Hess 2014-03-12 21:21:10 -04:00
parent ea0138d8a1
commit 66b8b9c094
9 changed files with 63 additions and 33 deletions

View file

@ -14,6 +14,7 @@ import Assistant.WebApp.Types
import Assistant.Common
import Utility.NotificationBroadcaster
import Utility.Yesod
import Utility.WebApp
import Data.Text (Text)
import Control.Concurrent
@ -36,7 +37,7 @@ newNotifier getbroadcaster = liftAssistant $ do
webAppFormAuthToken :: Widget
webAppFormAuthToken = do
webapp <- liftH getYesod
[whamlet|<input type="hidden" name="auth" value="#{secretToken webapp}">|]
[whamlet|<input type="hidden" name="auth" value="#{fromAuthToken (authToken webapp)}">|]
{- A button with an icon, and maybe label or tooltip, that can be
- clicked to perform some action.