diff options
| author | Nils Adermann <naderman@naderman.de> | 2014-10-22 16:57:50 -0400 |
|---|---|---|
| committer | Nils Adermann <naderman@naderman.de> | 2014-10-22 16:57:50 -0400 |
| commit | fad280f94b97799cf12a636b65f7f2288e8b3640 (patch) | |
| tree | 821234d51023b240cb38a0e8a04194ec73e75a4c /phpBB/phpbb/passwords/driver/md5_phpbb2.php | |
| parent | e43d1781bf17c9265f075dfc0cc38d807fe3b70e (diff) | |
| parent | cf9d1fbd1a7013f561a736b9fc2157b7f935b7d6 (diff) | |
| download | forums-fad280f94b97799cf12a636b65f7f2288e8b3640.tar forums-fad280f94b97799cf12a636b65f7f2288e8b3640.tar.gz forums-fad280f94b97799cf12a636b65f7f2288e8b3640.tar.bz2 forums-fad280f94b97799cf12a636b65f7f2288e8b3640.tar.xz forums-fad280f94b97799cf12a636b65f7f2288e8b3640.zip | |
Merge pull request #3056 from marc1706/ticket/13203
[ticket/13203] Use constant time comparison method for comparing password hashes
Diffstat (limited to 'phpBB/phpbb/passwords/driver/md5_phpbb2.php')
| -rw-r--r-- | phpBB/phpbb/passwords/driver/md5_phpbb2.php | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/phpBB/phpbb/passwords/driver/md5_phpbb2.php b/phpBB/phpbb/passwords/driver/md5_phpbb2.php index 86a4b62ea5..bd8cc51e5a 100644 --- a/phpBB/phpbb/passwords/driver/md5_phpbb2.php +++ b/phpBB/phpbb/passwords/driver/md5_phpbb2.php @@ -23,6 +23,9 @@ class md5_phpbb2 extends base /** @var \phpbb\passwords\driver\salted_md5 */ protected $salted_md5; + /** @var \phpbb\passwords\driver\helper */ + protected $helper; + /** @var string phpBB root path */ protected $phpbb_root_path; @@ -34,13 +37,15 @@ class md5_phpbb2 extends base * * @param \phpbb\request\request $request phpBB request object * @param \phpbb\passwords\driver\salted_md5 $salted_md5 Salted md5 driver + * @param \phpbb\passwords\driver\helper $helper Driver helper * @param string $phpbb_root_path phpBB root path * @param string $php_ext PHP file extension */ - public function __construct($request, \phpbb\passwords\driver\salted_md5 $salted_md5, $phpbb_root_path, $php_ext) + public function __construct($request, salted_md5 $salted_md5, helper $helper, $phpbb_root_path, $php_ext) { $this->request = $request; $this->salted_md5 = $salted_md5; + $this->helper = $helper; $this->phpbb_root_path = $phpbb_root_path; $this->php_ext = $php_ext; } @@ -105,7 +110,7 @@ class md5_phpbb2 extends base include($this->phpbb_root_path . 'includes/utf/data/recode_basic.' . $this->php_ext); } - if (md5($password_old_format) === $hash || md5(\utf8_to_cp1252($password_old_format)) === $hash + if ($this->helper->string_compare(md5($password_old_format), $hash) || $this->helper->string_compare(md5(\utf8_to_cp1252($password_old_format)), $hash) || $this->salted_md5->check(md5($password_old_format), $hash) === true || $this->salted_md5->check(md5(\utf8_to_cp1252($password_old_format)), $hash) === true) { |