commit c00891640650bc553f7c4e7eb12ba43cce23f273 Author: David Fifield david@bamsoftware.com Date: Sat Nov 9 17:08:58 2013 -0800

Use constant-time compare for auth cookie header.

Why not. --- pt.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pt.go b/pt.go index d64f169..a8bd001 100644 --- a/pt.go +++ b/pt.go @@ -338,7 +338,7 @@ func readAuthCookie(f io.Reader) ([]byte, error) { } header := buf[0:32] cookie := buf[32:64] - if !bytes.Equal(header, authCookieHeader) { + if subtle.ConstantTimeCompare(header, authCookieHeader) != 1 { return nil, errors.New(fmt.Sprintf("missing auth cookie header")) }