From c168f7c88e9fdc812b3fecd78cf494e1eb9c0dbf Mon Sep 17 00:00:00 2001
From: erinn <erinn@openprivacy.ca>
Date: Fri, 20 Aug 2021 12:11:10 -0700
Subject: [PATCH] fix potential timing attack in password validation reported
 by @sweis

---
 admin.php | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/admin.php b/admin.php
index f9a3403..84be568 100644
--- a/admin.php
+++ b/admin.php
@@ -2,7 +2,9 @@
 
 require_once 'php/config.inc.php';
 
-$password = "sexworkiswork";
+// To generate a password hash, use the following command on a secure local machine:
+// php -r 'echo password_hash("adminpasswordhere", PASSWORD_DEFAULT);'
+$password = '$2y$10$ORfmg3iGr25X2Y.MYxTp5OxYC02dUF8swQ/dbeYreMR0ea0LIUk0u';
 
 define('FORMCONTENTS', '<form method="post">
 		<p>Password: <input type="password" name="password"> <input type="submit" class="button-primary" value="Download encrypted submissions"></p>
@@ -30,7 +32,7 @@ if (count($ADMIN_IPS) > 0 && array_search($ip, $ADMIN_IPS) === false) {
 	include footer;
 } else {
 	if (isset($_POST) && isset($_POST['password'])) {
-		if ($_POST['password'] === $password) {
+		if (password_verify($_POST['password'], $password)) {
 			header('Content-Type: application/octet-stream');
 			header("Content-Transfer-Encoding: Binary"); 
 			header("Content-disposition: attachment; filename=\"submissions.dat\"");