diff options
| author | Maurice Svay <maurice@svay.com> | 2015-08-04 17:37:19 +0200 |
|---|---|---|
| committer | Maurice Svay <maurice@svay.com> | 2015-08-04 17:37:19 +0200 |
| commit | a88c7abdc14b66225e0a84d2da30fd99eea694ea (patch) | |
| tree | df25afeb4c4c0b2438a187976265599b2e1c5bd0 | |
| parent | 07aa4f5484dfefe4d9d5870b31d2e2269583fdd2 (diff) | |
| parent | cb5e73816fa0308b22c7274509b23059ce1d5eda (diff) | |
| download | planet-a88c7abdc14b66225e0a84d2da30fd99eea694ea.tar planet-a88c7abdc14b66225e0a84d2da30fd99eea694ea.tar.gz planet-a88c7abdc14b66225e0a84d2da30fd99eea694ea.tar.bz2 planet-a88c7abdc14b66225e0a84d2da30fd99eea694ea.tar.xz planet-a88c7abdc14b66225e0a84d2da30fd99eea694ea.zip | |
Merge pull request #72 from nashe/patch-juggling
Hardening the authentication
| -rw-r--r-- | admin/inc/auth.inc.php | 13 | ||||
| -rw-r--r-- | app/classes/Planet.class.php | 40 |
2 files changed, 46 insertions, 7 deletions
diff --git a/admin/inc/auth.inc.php b/admin/inc/auth.inc.php index d21467b..db6e571 100644 --- a/admin/inc/auth.inc.php +++ b/admin/inc/auth.inc.php @@ -1,11 +1,10 @@ <?php -include (dirname(__FILE__).'/pwd.inc.php'); -if ( isset($_COOKIE['auth']) && $_COOKIE['auth'] == $password ) { - //ok, cool -} else { - setcookie('auth','', time()-3600); +include dirname(__FILE__).'/pwd.inc.php'; +require_once __DIR__.'/../../app/classes/Planet.class.php'; + +if (!Planet::authenticateUser($_COOKIE['auth'], $password)) { + setcookie('auth', '', time() - 3600); header('Location: login.php'); - die; + die(); } -?>
\ No newline at end of file diff --git a/app/classes/Planet.class.php b/app/classes/Planet.class.php index 3c76378..f502d7a 100644 --- a/app/classes/Planet.class.php +++ b/app/classes/Planet.class.php @@ -54,6 +54,46 @@ class Planet } /** + * Compare the supplied password with the known one. + * + * This functions uses a type-safe and timing-safe comparison, in order to + * improve the security of the authentication. + * + * Read more about this sort of attacks (used for the < PHP 5.6.0 implementation): + * - https://security.stackexchange.com/questions/83660/simple-string-comparisons-not-secure-against-timing-attacks + * - https://github.com/laravel/framework/blob/a1dc78820d2dbf207dbdf0f7075f17f7021c4ee8/src/Illuminate/Support/Str.php#L289 + * - https://github.com/symfony/security-core/blob/master/Util/StringUtils.php#L39 + * + * @param string $known + * @param string $supplied + * @return bool + */ + public static function authenticateUser($known = '', $supplied = '') + { + // The hash_equals function was introduced in PHP 5.6.0. If it's not + // existing in the current context (PHP version too old), and to ensure + // compatibility with those old interpreters, we'll have to provide + // an PHP implementation of this function. + if (function_exists('hash_equals')) { + return hash_equals($known, $supplied); + } + + // Some implementation references can be found on the function comment. + $knownLen = mb_strlen($known); + if ($knownLen !== mb_strlen($supplied)) { + return false; + } + + // Ensure that all the characters are the same, and continue until the + // end of the string even if an difference was found. + for ($i = 0, $comparison = 0; $i < $knownLen; $i++) { + $comparison |= ord($known[$i]) ^ ord($supplied[$i]); + } + + return ($comparison === 0); + } + + /** * Getters */ public function getItems() |