From 85c7a3b437f28cb43d33754f2ac7e29a7f0eded0 Mon Sep 17 00:00:00 2001 From: Aidan Woods Date: Sun, 6 Dec 2020 12:44:14 +0000 Subject: [PATCH] Use hash_equals when comparing to pwhash from cookie This should prevent a timing attack against this parameter to disclose the stored passsword hash. Signed-off-by: Aidan Woods --- scripts/pi-hole/php/password.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/pi-hole/php/password.php b/scripts/pi-hole/php/password.php index 3ebf9f62..b3da977a 100644 --- a/scripts/pi-hole/php/password.php +++ b/scripts/pi-hole/php/password.php @@ -42,7 +42,7 @@ // Check for and authorize from persistent cookie if (isset($_COOKIE["persistentlogin"])) { - if ($pwhash === $_COOKIE["persistentlogin"]) + if (hash_equals($pwhash, $_COOKIE["persistentlogin"])) { $auth = true; // Refresh cookie with new expiry