fix potential timing attack in password validation reported by @sweis

This commit is contained in:
erinn 2021-08-20 12:11:10 -07:00
parent 5d0abf9db9
commit c168f7c88e
1 changed files with 4 additions and 2 deletions

View File

@ -2,7 +2,9 @@
require_once 'php/config.inc.php';
$password = "sexworkiswork";
// To generate a password hash, use the following command on a secure local machine:
// php -r 'echo password_hash("adminpasswordhere", PASSWORD_DEFAULT);'
$password = '$2y$10$ORfmg3iGr25X2Y.MYxTp5OxYC02dUF8swQ/dbeYreMR0ea0LIUk0u';
define('FORMCONTENTS', '<form method="post">
<p>Password: <input type="password" name="password"> <input type="submit" class="button-primary" value="Download encrypted submissions"></p>
@ -30,7 +32,7 @@ if (count($ADMIN_IPS) > 0 && array_search($ip, $ADMIN_IPS) === false) {
include footer;
} else {
if (isset($_POST) && isset($_POST['password'])) {
if ($_POST['password'] === $password) {
if (password_verify($_POST['password'], $password)) {
header('Content-Type: application/octet-stream');
header("Content-Transfer-Encoding: Binary");
header("Content-disposition: attachment; filename=\"submissions.dat\"");