Save advanced search namespace prefs on Special:Search itself

[lhc/web/wiklou.git] / includes / User.php

diff --git a/includes/User.php b/includes/User.php
index 6578341..7401c4d 100644 (file)
--- a/includes/User.php
+++ b/includes/User.php
@@ -1146,7 +1146,7 @@ class User {
                        $token = rtrim( $proposedUser->getToken( false ) ); // correct token
                        // Make comparison in constant time (bug 61346)
                        $passwordCorrect = strlen( $token )
-                               && $this->compareSecrets( $token, $request->getCookie( 'Token' ) );
+                               && hash_equals( $token, $request->getCookie( 'Token' ) );
                        $from = 'cookie';
                } else {
                        // No session or persistent login cookie
@@ -1165,27 +1165,6 @@ class User {
                }
        }
 
-       /**
-        * A comparison of two strings, not vulnerable to timing attacks
-        * @param string $answer The secret string that you are comparing against.
-        * @param string $test Compare this string to the $answer.
-        * @return bool True if the strings are the same, false otherwise
-        */
-       protected function compareSecrets( $answer, $test ) {
-               if ( strlen( $answer ) !== strlen( $test ) ) {
-                       $passwordCorrect = false;
-               } else {
-                       $result = 0;
-                       $answerLength = strlen( $answer );
-                       for ( $i = 0; $i < $answerLength; $i++ ) {
-                               $result |= ord( $answer[$i] ) ^ ord( $test[$i] );
-                       }
-                       $passwordCorrect = ( $result == 0 );
-               }
-
-               return $passwordCorrect;
-       }
-
        /**
         * Load user and user_group data from the database.
         * $this->mId must be set, this is how the user is identified.
@@ -1672,6 +1651,9 @@ class User {
         * Primitive rate limits: enforce maximum actions per time period
         * to put a brake on flooding.
         *
+        * The method generates both a generic profiling point and a per action one
+        * (suffix being "-$action".
+        *
         * @note When using a shared cache like memcached, IP-address
         * last-hit counters will be shared across wikis.
         *
@@ -1698,6 +1680,7 @@ class User {
 
                global $wgMemc;
                wfProfileIn( __METHOD__ );
+               wfProfileIn( __METHOD__ . '-' . $action );
 
                $limits = $wgRateLimits[$action];
                $keys = array();
@@ -1776,6 +1759,7 @@ class User {
                        }
                }
 
+               wfProfileOut( __METHOD__ . '-' . $action );
                wfProfileOut( __METHOD__ );
                return $triggered;
        }
@@ -2568,6 +2552,8 @@ class User {
        /**
         * Set the given option for a user.
         *
+        * You need to call saveSettings() to actually write to the database.
+        *
         * @param string $oname The option to set
         * @param mixed $val New value to set
         */
@@ -4823,7 +4809,9 @@ class User {
        }
 
        /**
-        * @todo document
+        * Saves the non-default options for this user, as previously set e.g. via
+        * setOption(), in the database's "user_properties" (preferences) table.
+        * Usually used via saveSettings().
         */
        protected function saveOptions() {
                $this->loadOptions();