From: Brad Jorsch <bjorsch@wikimedia.org>
Date: Fri, 27 Mar 2015 15:49:58 +0000 (-0400)
Subject: SECURITY: API: Use constant-time comparison for watchlist token
X-Git-Tag: 1.31.0-rc.0~10461
X-Git-Url: http://git.cyclocoop.org/%7D%7Cconcat%7B?a=commitdiff_plain;h=00f3e29bfcb80361b588357da0aaea4bce63d198;p=lhc%2Fweb%2Fwiklou.git

SECURITY: API: Use constant-time comparison for watchlist token

Avoids a theoretical timing attack.

Bug: T94116
Change-Id: Ia4a2b13bd5d3cd256c6b2deada224148dc2888a6
---

diff --git a/includes/api/ApiBase.php b/includes/api/ApiBase.php
index 393ff49d7c..754c0ed2a6 100644
--- a/includes/api/ApiBase.php
+++ b/includes/api/ApiBase.php
@@ -1229,7 +1229,7 @@ abstract class ApiBase extends ContextSource {
 				$this->dieUsage( 'Specified user does not exist', 'bad_wlowner' );
 			}
 			$token = $user->getOption( 'watchlisttoken' );
-			if ( $token == '' || $token != $params['token'] ) {
+			if ( $token == '' || !hash_equals( $token, $params['token'] ) ) {
 				$this->dieUsage(
 					'Incorrect watchlist token provided -- please set a correct token in Special:Preferences',
 					'bad_wltoken'