Mercurial > prosody-modules
comparison mod_http_upload_external/share.php @ 3216:5d35e6b409e0
mod_http_upload_external: share.php: Use hash_equals() if available to protect against timing attack
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Tue, 07 Aug 2018 19:12:52 +0100 |
| parents | 9480ca61294d |
| children | 3b13f19652e2 |
comparison
equal
deleted
inserted
replaced
| 3215:18ff93198e61 | 3216:5d35e6b409e0 |
|---|---|
| 72 if(array_key_exists('v', $_GET) === TRUE && $request_method === 'PUT') { | 72 if(array_key_exists('v', $_GET) === TRUE && $request_method === 'PUT') { |
| 73 $upload_file_size = $_SERVER['CONTENT_LENGTH']; | 73 $upload_file_size = $_SERVER['CONTENT_LENGTH']; |
| 74 $upload_token = $_GET['v']; | 74 $upload_token = $_GET['v']; |
| 75 | 75 |
| 76 $calculated_token = hash_hmac('sha256', "$upload_file_name $upload_file_size", $CONFIG_SECRET); | 76 $calculated_token = hash_hmac('sha256', "$upload_file_name $upload_file_size", $CONFIG_SECRET); |
| 77 if($upload_token !== $calculated_token) { | 77 if(function_exists('hash_equals')) { |
| 78 header('HTTP/1.0 403 Forbidden'); | 78 if(hash_equals($calculated_token, $upload_token) !== TRUE) { |
| 79 exit; | 79 error_log("Token mismatch: calculated $calculated_token got $upload_token"); |
| 80 header('HTTP/1.0 403 Forbidden'); | |
| 81 exit; | |
| 82 } | |
| 80 } | 83 } |
| 81 | 84 else { |
| 85 if($upload_token !== $calculated_token) { | |
| 86 error_log("Token mismatch: calculated $calculated_token got $upload_token"); | |
| 87 header('HTTP/1.0 403 Forbidden'); | |
| 88 exit; | |
| 89 } | |
| 90 } | |
| 82 /* Open a file for writing */ | 91 /* Open a file for writing */ |
| 83 $store_file = fopen($store_file_name, 'x'); | 92 $store_file = fopen($store_file_name, 'x'); |
| 84 | 93 |
| 85 if($store_file === FALSE) { | 94 if($store_file === FALSE) { |
| 86 header('HTTP/1.0 409 Conflict'); | 95 header('HTTP/1.0 409 Conflict'); |