# HG changeset patch
# User Matthew Wild <mwild1@gmail.com>
# Date 1533665572 -3600
# Node ID 5d35e6b409e01f1133fe576b89bec81e0ae95813
# Parent  18ff93198e611b2e6695db3ffd36e2ae48ba7a2d
mod_http_upload_external: share.php: Use hash_equals() if available to protect against timing attack

diff -r 18ff93198e61 -r 5d35e6b409e0 mod_http_upload_external/share.php
--- a/mod_http_upload_external/share.php	Sat Aug 04 16:10:40 2018 +0200
+++ b/mod_http_upload_external/share.php	Tue Aug 07 19:12:52 2018 +0100
@@ -74,11 +74,20 @@
 	$upload_token = $_GET['v'];
 
 	$calculated_token = hash_hmac('sha256', "$upload_file_name $upload_file_size", $CONFIG_SECRET);
-	if($upload_token !== $calculated_token) {
-		header('HTTP/1.0 403 Forbidden');
-		exit;
+	if(function_exists('hash_equals')) {
+		if(hash_equals($calculated_token, $upload_token) !== TRUE) {
+			error_log("Token mismatch: calculated $calculated_token got $upload_token");
+			header('HTTP/1.0 403 Forbidden');
+			exit;
+		}
 	}
-
+	else {
+		if($upload_token !== $calculated_token) {
+			error_log("Token mismatch: calculated $calculated_token got $upload_token");
+			header('HTTP/1.0 403 Forbidden');
+			exit;
+		}
+	}
 	/* Open a file for writing */
 	$store_file = fopen($store_file_name, 'x');