Update 'README.md'

fix potential timing attack in password validation reported by @sweis
2021-08-20 19:13:44 +00:00 · 2021-08-20 12:11:10 -07:00
2 changed files with 10 additions and 3 deletions
--- a/README.md
+++ b/README.md
@ -1,3 +1,8 @@
 ![](./img/logo.png)

-This is the PHP/webserver component for Lockbox. For instructions visit [the Lockbox app's main repository](https://git.openprivacy.ca/openprivacy/lockbox).
+This is the PHP/webserver component for Lockbox. For instructions visit [the Lockbox app's main repository](https://git.openprivacy.ca/openprivacy/lockbox).
+
+
+### Acknowledgements
+
+* thanks to Steve Weis (@sweis) for reporting a potential timing attack against admin password validation
--- a/admin.php
+++ b/admin.php
@ -2,7 +2,9 @@

 require_once 'php/config.inc.php';

-$password = "sexworkiswork";
+// To generate a password hash, use the following command on a secure local machine:
+// php -r 'echo password_hash("adminpasswordhere", PASSWORD_DEFAULT);'
+$password = '$2y$10$ORfmg3iGr25X2Y.MYxTp5OxYC02dUF8swQ/dbeYreMR0ea0LIUk0u';

 define('FORMCONTENTS', '<form method="post">
 		<p>Password: <input type="password" name="password"> <input type="submit" class="button-primary" value="Download encrypted submissions"></p>
@ -30,7 +32,7 @@ if (count($ADMIN_IPS) > 0 && array_search($ip, $ADMIN_IPS) === false) {
 	include footer;
 } else {
 	if (isset($_POST) && isset($_POST['password'])) {
-		if ($_POST['password'] === $password) {
+		if (password_verify($_POST['password'], $password)) {
 			header('Content-Type: application/octet-stream');
 			header("Content-Transfer-Encoding: Binary"); 
 			header("Content-disposition: attachment; filename=\"submissions.dat\"");
Author	SHA1	Message	Date
erinn	f3c7f1cc0b	Update 'README.md'	2021-08-20 19:13:44 +00:00
erinn	c168f7c88e	fix potential timing attack in password validation reported by @sweis	2021-08-20 12:11:10 -07:00