fix potential timing attack in password validation reported by @sweis
This commit is contained in:
parent
5d0abf9db9
commit
c168f7c88e
|
@ -2,7 +2,9 @@
|
|||
|
||||
require_once 'php/config.inc.php';
|
||||
|
||||
$password = "sexworkiswork";
|
||||
// To generate a password hash, use the following command on a secure local machine:
|
||||
// php -r 'echo password_hash("adminpasswordhere", PASSWORD_DEFAULT);'
|
||||
$password = '$2y$10$ORfmg3iGr25X2Y.MYxTp5OxYC02dUF8swQ/dbeYreMR0ea0LIUk0u';
|
||||
|
||||
define('FORMCONTENTS', '<form method="post">
|
||||
<p>Password: <input type="password" name="password"> <input type="submit" class="button-primary" value="Download encrypted submissions"></p>
|
||||
|
@ -30,7 +32,7 @@ if (count($ADMIN_IPS) > 0 && array_search($ip, $ADMIN_IPS) === false) {
|
|||
include footer;
|
||||
} else {
|
||||
if (isset($_POST) && isset($_POST['password'])) {
|
||||
if ($_POST['password'] === $password) {
|
||||
if (password_verify($_POST['password'], $password)) {
|
||||
header('Content-Type: application/octet-stream');
|
||||
header("Content-Transfer-Encoding: Binary");
|
||||
header("Content-disposition: attachment; filename=\"submissions.dat\"");
|
||||
|
|
Loading…
Reference in New Issue