From 883f03262f9885ff7e2ba288efe7de7fd1b1bb1d Mon Sep 17 00:00:00 2001
From: Vladislav Yarmak <vladislav-ex-src@vm-0.com>
Date: Tue, 12 Jan 2021 16:07:24 +0200
Subject: [PATCH] basic auth: fix timing oracle

---
 auth.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/auth.go b/auth.go
index 43ad36f53b..4d8a6ce484 100644
--- a/auth.go
+++ b/auth.go
@@ -5,6 +5,7 @@
 package gin
 
 import (
+	"crypto/subtle"
 	"encoding/base64"
 	"net/http"
 	"strconv"
@@ -30,7 +31,7 @@ func (a authPairs) searchCredential(authValue string) (string, bool) {
 		return "", false
 	}
 	for _, pair := range a {
-		if pair.value == authValue {
+		if subtle.ConstantTimeCompare([]byte(pair.value), []byte(authValue)) == 1 {
 			return pair.user, true
 		}
 	}