X-Git-Url: https://gitweb.ps.run/ps-cgit/blobdiff_plain/b826537cb4aa2358027ffcb1dd6a87274734e962..9999b0a3e915c76a52be433830660e803ef71cb0:/filters/simple-authentication.lua

diff --git a/filters/simple-authentication.lua b/filters/simple-authentication.lua
index 5935d08..9291302 100644
--- a/filters/simple-authentication.lua
+++ b/filters/simple-authentication.lua
@@ -45,7 +45,7 @@ function authenticate_post()
 
 	redirect_to(redirect)
 
-	-- TODO: Implement time invariant string comparison function to mitigate timing attack.
+	-- Lua hashes strings, so these comparisons are time invariant.
 	if password == nil or password ~= post["password"] then
 		set_cookie("cgitauth", "")
 	else
@@ -122,12 +122,7 @@ function filter_open(...)
 	cgit["repo"] = select(9, ...)
 	cgit["page"] = select(10, ...)
 	cgit["url"] = select(11, ...)
-
-	cgit["login"] = ""
-	for _ in cgit["url"]:gfind("/") do
-		cgit["login"] = cgit["login"] .. "../"
-	end
-	cgit["login"] = cgit["login"] .. "?p=login"
+	cgit["login"] = select(12, ...)
 
 end
 
@@ -222,7 +217,7 @@ function validate_value(cookie)
 		return nil
 	end
 
-	-- TODO: implement time invariant comparison to prevent against timing attack.
+	-- Lua hashes strings, so these comparisons are time invariant.
 	if hmac ~= crypto.hmac.digest("sha1", value .. "|" .. tostring(expiration) .. "|" .. salt, secret) then
 		return nil
 	end