$token = rtrim( $proposedUser->getToken( false ) ); // correct token
// Make comparison in constant time (bug 61346)
$passwordCorrect = strlen( $token )
- && $this->compareSecrets( $token, $request->getCookie( 'Token' ) );
+ && hash_equals( $token, $request->getCookie( 'Token' ) );
$from = 'cookie';
} else {
// No session or persistent login cookie
}
}
- /**
- * A comparison of two strings, not vulnerable to timing attacks
- * @param string $answer The secret string that you are comparing against.
- * @param string $test Compare this string to the $answer.
- * @return bool True if the strings are the same, false otherwise
- */
- protected function compareSecrets( $answer, $test ) {
- if ( strlen( $answer ) !== strlen( $test ) ) {
- $passwordCorrect = false;
- } else {
- $result = 0;
- $answerLength = strlen( $answer );
- for ( $i = 0; $i < $answerLength; $i++ ) {
- $result |= ord( $answer[$i] ) ^ ord( $test[$i] );
- }
- $passwordCorrect = ( $result == 0 );
- }
-
- return $passwordCorrect;
- }
-
/**
* Load user and user_group data from the database.
* $this->mId must be set, this is how the user is identified.
/**
* Set the given option for a user.
*
+ * You need to call saveSettings() to actually write to the database.
+ *
* @param string $oname The option to set
* @param mixed $val New value to set
*/
}
/**
- * @todo document
+ * Saves the non-default options for this user, as previously set e.g. via
+ * setOption(), in the database's "user_properties" (preferences) table.
+ * Usually used via saveSettings().
*/
protected function saveOptions() {
$this->loadOptions();