Pi-Hole/web
1
0
Fork 0
mirror of https://github.com/pi-hole/web.git synced 2026-04-24 18:59:48 +01:00
Code Issues Packages Projects Releases Wiki Activity

Use hash_equals when comparing to pwhash from cookie

Browse Source 
This should prevent a timing attack against this parameter to
disclose the stored passsword hash.

Signed-off-by: Aidan Woods <aidantwoods@gmail.com>
This commit is contained in:
Aidan Woods
2020-12-06 12:44:14 +00:00
parent 98059251a1
commit 85c7a3b437
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
scripts/pi-hole/php/password.php
View File

@@ -42,7 +42,7 @@
// Check for and authorize from persistent cookie
if (isset($_COOKIE["persistentlogin"]))
{
if ($pwhash === $_COOKIE["persistentlogin"])
if (hash_equals($pwhash, $_COOKIE["persistentlogin"]))
{
$auth = true;
// Refresh cookie with new expiry