Pi-Hole/web
1
0
Fork 0
mirror of https://github.com/pi-hole/web.git synced 2026-04-24 10:50:23 +01:00
Code Issues Packages Projects Releases Wiki Activity

Use hash_equals in password.php (and move it to funcs.php)

Browse Source 
Signed-off-by: Mcat12 <newtoncat12@yahoo.com>
This commit is contained in:
Mcat12
2018-01-19 17:52:06 -05:00
parent f89cbee1aa
commit 862db2ba9e
3 changed files with 25 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
scripts/pi-hole/php/password.php
View File

@@ -6,6 +6,8 @@
* This file is copyright under the latest version of the EUPL.
* Please see LICENSE file for your rights under this license. */
require('func.php');
// Start a new PHP session (or continue an existing one)
session_start();
@@ -37,7 +39,7 @@
if(isset($_POST["pw"]))
{
$postinput = hash('sha256',hash('sha256',$_POST["pw"]));
if($postinput == $pwhash)
if(hash_equals($pwhash, $postinput))
{
$_SESSION["hash"] = $pwhash;
@@ -57,13 +59,13 @@
// Compare auth hash with saved hash
else if (isset($_SESSION["hash"]))
{
if($_SESSION["hash"] == $pwhash)
if(hash_equals($pwhash, $_SESSION["hash"]))
$auth = true;
}
// API can use the hash to get data without logging in via plain-text password
else if (isset($api) && isset($_GET["auth"]))
{
if($_GET["auth"] == $pwhash)
if(hash_equals($pwhash, $_GET["auth"]))
$auth = true;
}
else