fix potential timing attack in password validation reported by @sweis
This commit is contained in:
parent
5d0abf9db9
commit
c168f7c88e
|
@ -2,7 +2,9 @@
|
||||||
|
|
||||||
require_once 'php/config.inc.php';
|
require_once 'php/config.inc.php';
|
||||||
|
|
||||||
$password = "sexworkiswork";
|
// To generate a password hash, use the following command on a secure local machine:
|
||||||
|
// php -r 'echo password_hash("adminpasswordhere", PASSWORD_DEFAULT);'
|
||||||
|
$password = '$2y$10$ORfmg3iGr25X2Y.MYxTp5OxYC02dUF8swQ/dbeYreMR0ea0LIUk0u';
|
||||||
|
|
||||||
define('FORMCONTENTS', '<form method="post">
|
define('FORMCONTENTS', '<form method="post">
|
||||||
<p>Password: <input type="password" name="password"> <input type="submit" class="button-primary" value="Download encrypted submissions"></p>
|
<p>Password: <input type="password" name="password"> <input type="submit" class="button-primary" value="Download encrypted submissions"></p>
|
||||||
|
@ -30,7 +32,7 @@ if (count($ADMIN_IPS) > 0 && array_search($ip, $ADMIN_IPS) === false) {
|
||||||
include footer;
|
include footer;
|
||||||
} else {
|
} else {
|
||||||
if (isset($_POST) && isset($_POST['password'])) {
|
if (isset($_POST) && isset($_POST['password'])) {
|
||||||
if ($_POST['password'] === $password) {
|
if (password_verify($_POST['password'], $password)) {
|
||||||
header('Content-Type: application/octet-stream');
|
header('Content-Type: application/octet-stream');
|
||||||
header("Content-Transfer-Encoding: Binary");
|
header("Content-Transfer-Encoding: Binary");
|
||||||
header("Content-disposition: attachment; filename=\"submissions.dat\"");
|
header("Content-disposition: attachment; filename=\"submissions.dat\"");
|
||||||
|
|
Loading…
Reference in New Issue