Comparison

mod_http_upload_external/share.php @ 3216:5d35e6b409e0

mod_http_upload_external: share.php: Use hash_equals() if available to protect against timing attack
author Matthew Wild <mwild1@gmail.com>
date Tue, 07 Aug 2018 19:12:52 +0100
parent 2979:9480ca61294d
child 3226:3b13f19652e2
comparison
equal deleted inserted replaced
3215:18ff93198e61 3216:5d35e6b409e0
72 if(array_key_exists('v', $_GET) === TRUE && $request_method === 'PUT') { 72 if(array_key_exists('v', $_GET) === TRUE && $request_method === 'PUT') {
73 $upload_file_size = $_SERVER['CONTENT_LENGTH']; 73 $upload_file_size = $_SERVER['CONTENT_LENGTH'];
74 $upload_token = $_GET['v']; 74 $upload_token = $_GET['v'];
75 75
76 $calculated_token = hash_hmac('sha256', "$upload_file_name $upload_file_size", $CONFIG_SECRET); 76 $calculated_token = hash_hmac('sha256', "$upload_file_name $upload_file_size", $CONFIG_SECRET);
77 if($upload_token !== $calculated_token) { 77 if(function_exists('hash_equals')) {
78 header('HTTP/1.0 403 Forbidden'); 78 if(hash_equals($calculated_token, $upload_token) !== TRUE) {
79 exit; 79 error_log("Token mismatch: calculated $calculated_token got $upload_token");
80 header('HTTP/1.0 403 Forbidden');
81 exit;
82 }
80 } 83 }
81 84 else {
85 if($upload_token !== $calculated_token) {
86 error_log("Token mismatch: calculated $calculated_token got $upload_token");
87 header('HTTP/1.0 403 Forbidden');
88 exit;
89 }
90 }
82 /* Open a file for writing */ 91 /* Open a file for writing */
83 $store_file = fopen($store_file_name, 'x'); 92 $store_file = fopen($store_file_name, 'x');
84 93
85 if($store_file === FALSE) { 94 if($store_file === FALSE) {
86 header('HTTP/1.0 409 Conflict'); 95 header('HTTP/1.0 409 Conflict');