You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
What does 'go version' print?
go version go1.2.2 darwin/amd64
What steps reproduce the problem?
If possible, include a link to a program on play.golang.org.
1. Compare two byte slices with ConstantTimeCompare(), where the second slice is longer
and the first slice is a prefix of the second.
http://play.golang.org/p/XH0gRhdDTu
What happened?
The function compares slices only up to the length of the first slice and thus gives a
false-positive.
What should have happened instead?
I understand that this is not the way this function is supposed to be used. However, the
behavior on this incorrect usage varies based on the order of the arguments.
I think that panicking (due to out-of-range access), as the function does when the
*first* slice is longer, is a much better solution. Panic clearly indicates a mistake on
the programmer's part, whereas passing silently can go unnoticed for a long time and
even be exploited.
It's a simple fix to do, I think: instead of iterating up to len(x), iterate up to
max(len(x), len(y)).
The text was updated successfully, but these errors were encountered:
by justinas@justinas.me:
The text was updated successfully, but these errors were encountered: