fix(security): prevent username enumeration via timing attack
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
Perform a dummy LDAP bind when SearchDN fails so that the response time is indistinguishable between unknown users and wrong passwords. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
parent
e64db9d923
commit
12fd2f2e70
2 changed files with 4 additions and 0 deletions
|
|
@ -81,6 +81,8 @@ func changePassword(w http.ResponseWriter, r *http.Request) {
|
|||
renderError(http.StatusInternalServerError, "Unable to process your request. Please try again later.")
|
||||
} else if dn, err := conn.SearchDN(r.PostFormValue("login"), true); err != nil {
|
||||
log.Println(err)
|
||||
// User not found: perform a dummy bind to prevent username enumeration via timing.
|
||||
conn.Bind("cn=dummy,"+myLDAP.BaseDN, r.PostFormValue("password"))
|
||||
renderError(http.StatusUnauthorized, "Invalid login or password.")
|
||||
} else if err := conn.Bind(dn, r.PostFormValue("password")); err != nil {
|
||||
log.Println(err)
|
||||
|
|
|
|||
2
login.go
2
login.go
|
|
@ -88,6 +88,8 @@ func login(login string, password string) ([]*ldap.EntryAttribute, error) {
|
|||
if err != nil {
|
||||
dn, err = conn.SearchDN(login, false)
|
||||
if err != nil {
|
||||
// User not found: perform a dummy bind to prevent username enumeration via timing.
|
||||
conn.Bind("cn=dummy,"+myLDAP.BaseDN, password)
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue