diff options
author | Luke Shumaker <LukeShu@sbcglobal.net> | 2014-05-05 15:30:48 -0400 |
---|---|---|
committer | Luke Shumaker <LukeShu@sbcglobal.net> | 2014-05-05 15:30:48 -0400 |
commit | 3d86add3dfa5e0b3ead9859593d4a52cf7555a34 (patch) | |
tree | 453d8bd3fda4dbb3020017ea1a469291da5cdc71 /includes/User.php | |
parent | 064cec79ca4c8201de0d06bbca6cb7a5345d11be (diff) | |
parent | 2e44b49a2db3026050b136de9b00f749dd3ff939 (diff) |
Merge branch 'archwiki'
Diffstat (limited to 'includes/User.php')
-rw-r--r-- | includes/User.php | 22 |
1 files changed, 21 insertions, 1 deletions
diff --git a/includes/User.php b/includes/User.php index 12912e1c..62324043 100644 --- a/includes/User.php +++ b/includes/User.php @@ -984,7 +984,8 @@ class User { # Get the token from DB/cache and clean it up to remove garbage padding. # This deals with historical problems with bugs and the default column value. $token = rtrim( $proposedUser->getToken( false ) ); // correct token - $passwordCorrect = ( strlen( $token ) && $token === $request->getCookie( 'Token' ) ); + // Make comparison in constant time (bug 61346) + $passwordCorrect = strlen( $token ) && $this->compareSecrets( $token, $request->getCookie( 'Token' ) ); $from = 'cookie'; } else { // No session or persistent login cookie @@ -1004,6 +1005,25 @@ class User { } /** + * A comparison of two strings, not vulnerable to timing attacks + * @param string $answer the secret string that you are comparing against. + * @param string $test compare this string to the $answer. + * @return bool True if the strings are the same, false otherwise + */ + protected function compareSecrets( $answer, $test ) { + if ( strlen( $answer ) !== strlen( $test ) ) { + $passwordCorrect = false; + } else { + $result = 0; + for ( $i = 0; $i < strlen( $answer ); $i++ ) { + $result |= ord( $answer{$i} ) ^ ord( $test{$i} ); + } + $passwordCorrect = ( $result == 0 ); + } + return $passwordCorrect; + } + + /** * Load user and user_group data from the database. * $this->mId must be set, this is how the user is identified. * |