Pi-Hole/web
1
0
Fork 0
mirror of https://github.com/pi-hole/web.git synced 2025-12-26 13:36:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

Use hash_equals in password.php (and move it to funcs.php)

Browse Source 
Signed-off-by: Mcat12 <newtoncat12@yahoo.com>
This commit is contained in:
Mcat12
2018-01-19 17:52:06 -05:00
parent f89cbee1aa
commit 862db2ba9e
3 changed files with 25 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
scripts/pi-hole/php/auth.php
View File

@@ -92,26 +92,6 @@ function check_csrf($token) {
session_start();
}
// Credit: http://php.net/manual/en/function.hash-equals.php#119576
if(!function_exists('hash_equals')) {
function hash_equals($known_string, $user_string) {
$ret = 0;
if (strlen($known_string) !== strlen($user_string)) {
$user_string = $known_string;
$ret = 1;
}
$res = $known_string ^ $user_string;
for ($i = strlen($res) - 1; $i >= 0; --$i) {
$ret |= ord($res[$i]);
}
return !$ret;
}
}
if(!isset($_SESSION['token']) || empty($token) || !hash_equals($_SESSION['token'], $token)) {
log_and_die("Wrong token");
}