diff options
Diffstat (limited to 'includes/User.php')
| -rw-r--r-- | includes/User.php | 22 |
1 files changed, 21 insertions, 1 deletions
diff --git a/includes/User.php b/includes/User.php index 12912e1c..62324043 100644 --- a/includes/User.php +++ b/includes/User.php @@ -984,7 +984,8 @@ class User { # Get the token from DB/cache and clean it up to remove garbage padding. # This deals with historical problems with bugs and the default column value. $token = rtrim( $proposedUser->getToken( false ) ); // correct token - $passwordCorrect = ( strlen( $token ) && $token === $request->getCookie( 'Token' ) ); + // Make comparison in constant time (bug 61346) + $passwordCorrect = strlen( $token ) && $this->compareSecrets( $token, $request->getCookie( 'Token' ) ); $from = 'cookie'; } else { // No session or persistent login cookie @@ -1004,6 +1005,25 @@ class User { } /** + * A comparison of two strings, not vulnerable to timing attacks + * @param string $answer the secret string that you are comparing against. + * @param string $test compare this string to the $answer. + * @return bool True if the strings are the same, false otherwise + */ + protected function compareSecrets( $answer, $test ) { + if ( strlen( $answer ) !== strlen( $test ) ) { + $passwordCorrect = false; + } else { + $result = 0; + for ( $i = 0; $i < strlen( $answer ); $i++ ) { + $result |= ord( $answer{$i} ) ^ ord( $test{$i} ); + } + $passwordCorrect = ( $result == 0 ); + } + return $passwordCorrect; + } + + /** * Load user and user_group data from the database. * $this->mId must be set, this is how the user is identified. * |