Mercurial > prosody-modules
diff mod_http_upload_external/share.php @ 3216:5d35e6b409e0
mod_http_upload_external: share.php: Use hash_equals() if available to protect against timing attack
author | Matthew Wild <mwild1@gmail.com> |
---|---|
date | Tue, 07 Aug 2018 19:12:52 +0100 |
parents | 9480ca61294d |
children | 3b13f19652e2 |
line wrap: on
line diff
--- a/mod_http_upload_external/share.php Sat Aug 04 16:10:40 2018 +0200 +++ b/mod_http_upload_external/share.php Tue Aug 07 19:12:52 2018 +0100 @@ -74,11 +74,20 @@ $upload_token = $_GET['v']; $calculated_token = hash_hmac('sha256', "$upload_file_name $upload_file_size", $CONFIG_SECRET); - if($upload_token !== $calculated_token) { - header('HTTP/1.0 403 Forbidden'); - exit; + if(function_exists('hash_equals')) { + if(hash_equals($calculated_token, $upload_token) !== TRUE) { + error_log("Token mismatch: calculated $calculated_token got $upload_token"); + header('HTTP/1.0 403 Forbidden'); + exit; + } } - + else { + if($upload_token !== $calculated_token) { + error_log("Token mismatch: calculated $calculated_token got $upload_token"); + header('HTTP/1.0 403 Forbidden'); + exit; + } + } /* Open a file for writing */ $store_file = fopen($store_file_name, 'x');