From: Mogmog123 <samohasmoha07@gmail.com>
Date: Sat, 1 Dec 2018 01:25:06 +0000 (+0000)
Subject: Changing "===" on secrets to hash_equals to protect from timing attacks.
X-Git-Tag: 1.34.0-rc.0~3398^2
X-Git-Url: http://git.cyclocoop.org/%7B%24admin_url%7Dcompta/comptes/%28%5B%5E/%27%20.%20%24_credit%5B%27url%27%5D%20.%20%27?a=commitdiff_plain;h=37a396796b1d8c89e5af10fd7ef2491479e880be;p=lhc%2Fweb%2Fwiklou.git

Changing "===" on secrets to hash_equals to protect from timing attacks.

Bug: T207777
Change-Id: I1e12ef94f455f96b4d70af27a315414500c709ab
---

diff --git a/includes/password/PasswordPolicyChecks.php b/includes/password/PasswordPolicyChecks.php
index 04ee6e9bc9..3c565359d9 100644
--- a/includes/password/PasswordPolicyChecks.php
+++ b/includes/password/PasswordPolicyChecks.php
@@ -87,7 +87,7 @@ class PasswordPolicyChecks {
 		$username = $user->getName();
 		$contLang = MediaWikiServices::getInstance()->getContentLanguage();
 		if (
-			$policyVal && $contLang->lc( $password ) === $contLang->lc( $username )
+			$policyVal && hash_equals( $contLang->lc( $username ), $contLang->lc( $password ) )
 		) {
 			$status->error( 'password-name-match' );
 		}
@@ -110,12 +110,15 @@ class PasswordPolicyChecks {
 		$status = Status::newGood();
 		$username = $user->getName();
 		if ( $policyVal ) {
-			if ( isset( $blockedLogins[$username] ) && $password == $blockedLogins[$username] ) {
+			if (
+				isset( $blockedLogins[$username] ) &&
+				hash_equals( $blockedLogins[$username], $password )
+			) {
 				$status->error( 'password-login-forbidden' );
 			}
 
 			// Example from ApiChangeAuthenticationRequest
-			if ( $password === 'ExamplePassword' ) {
+			if ( hash_equals( 'ExamplePassword', $password ) ) {
 				$status->error( 'password-login-forbidden' );
 			}
 		}