mirror of
https://github.com/bettercap/bettercap
synced 2025-07-06 21:12:05 -07:00
new: disabling api.rest authentication if username or password are empty
This commit is contained in:
parent
3b6ea499dd
commit
f9656e1d1d
2 changed files with 10 additions and 8 deletions
|
@ -50,12 +50,12 @@ func NewRestAPI(s *session.Session) *RestAPI {
|
||||||
|
|
||||||
api.AddParam(session.NewStringParameter("api.rest.username",
|
api.AddParam(session.NewStringParameter("api.rest.username",
|
||||||
"",
|
"",
|
||||||
".+",
|
"",
|
||||||
"API authentication username."))
|
"API authentication username."))
|
||||||
|
|
||||||
api.AddParam(session.NewStringParameter("api.rest.password",
|
api.AddParam(session.NewStringParameter("api.rest.password",
|
||||||
"",
|
"",
|
||||||
".+",
|
"",
|
||||||
"API authentication password."))
|
"API authentication password."))
|
||||||
|
|
||||||
api.AddParam(session.NewStringParameter("api.rest.certificate",
|
api.AddParam(session.NewStringParameter("api.rest.certificate",
|
||||||
|
|
|
@ -43,6 +43,7 @@ func toJSON(w http.ResponseWriter, o interface{}) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func (api *RestAPI) checkAuth(r *http.Request) bool {
|
func (api *RestAPI) checkAuth(r *http.Request) bool {
|
||||||
|
if api.username != "" && api.password != "" {
|
||||||
user, pass, _ := r.BasicAuth()
|
user, pass, _ := r.BasicAuth()
|
||||||
// timing attack my ass
|
// timing attack my ass
|
||||||
if subtle.ConstantTimeCompare([]byte(user), []byte(api.username)) != 1 {
|
if subtle.ConstantTimeCompare([]byte(user), []byte(api.username)) != 1 {
|
||||||
|
@ -50,6 +51,7 @@ func (api *RestAPI) checkAuth(r *http.Request) bool {
|
||||||
} else if subtle.ConstantTimeCompare([]byte(pass), []byte(api.password)) != 1 {
|
} else if subtle.ConstantTimeCompare([]byte(pass), []byte(api.password)) != 1 {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
}
|
||||||
return true
|
return true
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Add table
Add a link
Reference in a new issue