use hash_equals for login - see: https://github.com/postfixadmin/postfixadmin/issues/58

4 years ago · 48e236ffc0
parent dd52a98d43
commit 48e236ffc0
1 changed files with 4 additions and 4 deletions
--- a/model/PFAHandler.php
+++ b/model/PFAHandler.php
@ -840,11 +840,11 @@ abstract class PFAHandler {

            $crypt_password = pacrypt($password, $row['password']);

-            if ($row['password'] == $crypt_password) {
-                return true;
-            }
+            return hash_equals($row['password'], $crypt_password);
        }
-        return false;
+        // try and be near constant time regardless of whether the db user exists or not
+        $x = pacrypt('abc', 'def');
+        return hash_equals('not', 'comparable');
    }

    /**