Page MenuHomePhabricator

0001-SECURITY-API-Use-constant-time-comparison-for-watchl.patch

Authored By
Anomie
Mar 27 2015, 3:53 PM
Size
1 KB
Referenced Files
None
Subscribers
None

0001-SECURITY-API-Use-constant-time-comparison-for-watchl.patch

From a9c7003b6dcd54dc9fa29b6e37a23675c5a51e00 Mon Sep 17 00:00:00 2001
From: Brad Jorsch <bjorsch@wikimedia.org>
Date: Fri, 27 Mar 2015 11:49:58 -0400
Subject: [PATCH] SECURITY: API: Use constant-time comparison for watchlist
token
Avoids a theoretical timing attack.
Bug: T94116
Change-Id: Ia4a2b13bd5d3cd256c6b2deada224148dc2888a6
---
includes/api/ApiBase.php | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/includes/api/ApiBase.php b/includes/api/ApiBase.php
index 74e51c8..b16b23e 100644
--- a/includes/api/ApiBase.php
+++ b/includes/api/ApiBase.php
@@ -1158,7 +1158,7 @@ abstract class ApiBase extends ContextSource {
$this->dieUsage( 'Specified user does not exist', 'bad_wlowner' );
}
$token = $user->getOption( 'watchlisttoken' );
- if ( $token == '' || $token != $params['token'] ) {
+ if ( $token == '' || !hash_equals( $token, $params['token'] ) ) {
$this->dieUsage(
'Incorrect watchlist token provided -- please set a correct token in Special:Preferences',
'bad_wltoken'
--
2.1.4

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
102939
Default Alt Text
0001-SECURITY-API-Use-constant-time-comparison-for-watchl.patch (1 KB)

Event Timeline