dépôts
/
lhc
/
web
/
wiklou.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
| inline |
side by side
(parent:
a8247ab
)
Use hash_equals in User::matchEditToken
author
Gergő Tisza
<tgr.huwiki@gmail.com>
Sat, 21 Nov 2015 19:51:02 +0000
(11:51 -0800)
committer
Chad Horohoe
<chadh@wikimedia.org>
Fri, 18 Dec 2015 00:38:53 +0000
(16:38 -0800)
There is no point in using hash_equals for the return value if we
do a normal comparison before.
Bug: T119309
Signed-off-by: Chad Horohoe <chadh@wikimedia.org>
Change-Id: Ia44ec5ed492105b27d0fddd845d58d27a29dc072
includes/user/User.php
patch
|
blob
|
history
diff --git
a/includes/user/User.php
b/includes/user/User.php
index
c6d215d
..
2ac0f2c
100644
(file)
--- a/
includes/user/User.php
+++ b/
includes/user/User.php
@@
-4228,7
+4228,7
@@
class User implements IDBAccessObject {
$salt, $request ?: $this->getRequest(), $timestamp
);
- if (
$val != $sessionToken
) {
+ if (
!hash_equals( $sessionToken, $val )
) {
wfDebug( "User::matchEditToken: broken session data\n" );
}