Project | Branch | Lines +/- | Subject | |
---|---|---|---|---|
mediawiki/extensions/CentralAuth | master | +1 -1 | [SECURITY] Use constant time comparison in validateAuthToken |
Details
Details
Event Timeline
Comment Actions
Given its non-trivial to pull off a timing attack of this type, I wonder if this patch could go directly on gerrit (/me looks at @csteipp )
Comment Actions
Minor, but the argument order should be reversed. From http://php.net/manual/en/function.hash-equals.php.
Note: It is important to provide the user-supplied string as the second parameter, rather than the first.
Comment Actions
Google suggests its for future compatability reasons (https://stackoverflow.com/questions/27911597/why-is-order-of-arguments-in-phps-hash-equals-function-important). I guess that's more reasonable. I still think that's a poor api design.
Comment Actions
Change 284237 merged by Chad:
[SECURITY] Use constant time comparison in validateAuthToken