Changeset

3216:5d35e6b409e0

mod_http_upload_external: share.php: Use hash_equals() if available to protect against timing attack
author Matthew Wild <mwild1@gmail.com>
date Tue, 07 Aug 2018 19:12:52 +0100
parents 3215:18ff93198e61
children 3217:063abaab666f
files mod_http_upload_external/share.php
diffstat 1 files changed, 13 insertions(+), 4 deletions(-) [+]
line wrap: on
line diff
--- a/mod_http_upload_external/share.php	Sat Aug 04 16:10:40 2018 +0200
+++ b/mod_http_upload_external/share.php	Tue Aug 07 19:12:52 2018 +0100
@@ -74,11 +74,20 @@
 	$upload_token = $_GET['v'];
 
 	$calculated_token = hash_hmac('sha256', "$upload_file_name $upload_file_size", $CONFIG_SECRET);
-	if($upload_token !== $calculated_token) {
-		header('HTTP/1.0 403 Forbidden');
-		exit;
+	if(function_exists('hash_equals')) {
+		if(hash_equals($calculated_token, $upload_token) !== TRUE) {
+			error_log("Token mismatch: calculated $calculated_token got $upload_token");
+			header('HTTP/1.0 403 Forbidden');
+			exit;
+		}
 	}
-
+	else {
+		if($upload_token !== $calculated_token) {
+			error_log("Token mismatch: calculated $calculated_token got $upload_token");
+			header('HTTP/1.0 403 Forbidden');
+			exit;
+		}
+	}
 	/* Open a file for writing */
 	$store_file = fopen($store_file_name, 'x');