archive/phabricator
1
0
Fork 0
Code Issues 1 Pull Requests Packages Projects Releases Wiki Activity

Use phutil_hashes_are_identical() when comparing hashes in Phabricator

Browse Source 
Summary: See D14025. In all cases where we compare hashes, use strict, constant-time comparisons.

Test Plan: Logged in, logged out, added TOTP, ran Conduit, terminated sessions, submitted forms, changed password. Tweaked CSRF token, got rejected.

Reviewers: chad

Reviewed By: chad

Subscribers: chenxiruanhai

Differential Revision: https://secure.phabricator.com/D14026
This commit is contained in:
epriestley
2015-09-01 15:52:44 -07:00
parent 13516cf35f
commit 29948eaa5b
11 changed files with 33 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/applications/auth/controller/PhabricatorAuthController.php
View File

@@ -209,7 +209,7 @@ abstract class PhabricatorAuthController extends PhabricatorController {
$actual = $account->getProperty('registrationKey');
$expect = PhabricatorHash::digest($registration_key);
if ($actual !== $expect) {
if (!phutil_hashes_are_identical($actual, $expect)) {
$response = $this->renderError(
pht(
'Your browser submitted a different registration key than the one '.