banananetwork
/
postfixadmin
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

use hash_equals for login - see: https://github.com/postfixadmin/postfixadmin/issues/58

Browse Source
feature-php-crypt-prefix
David Goodwin 4 years ago
parent dd52a98d43
commit 48e236ffc0
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File

8
model/PFAHandler.php
Unescape Escape View File

@ -840,11 +840,11 @@ abstract class PFAHandler {
$crypt_password = pacrypt($password, $row['password']); $crypt_password = pacrypt($password, $row['password']);
if ($row['password'] == $crypt_password) { return hash_equals($row['password'], $crypt_password);
return true;
}
} }
return false; // try and be near constant time regardless of whether the db user exists or not
$x = pacrypt('abc', 'def');
return hash_equals('not', 'comparable');
} }
/** /**

Write Preview
Loading…
Cancel
Save