Permalink
Browse files

Deprecate the obsolete pun_hash_equals() function

  • Loading branch information...
franzliedke committed Jan 2, 2019
1 parent 7d0fc9c commit 82f0ae44468b141a60f49d4b4d5611b12fc7168b
Showing with 9 additions and 8 deletions.
  1. +9 −8 include/functions.php
@@ -32,7 +32,7 @@ function check_cookie(&$pun_user)
if (isset($cookie) && $cookie['user_id'] > 1 && $cookie['expiration_time'] > $now)
{
// If the cookie has been tampered with
$is_authorized = pun_hash_equals(forum_hmac($cookie['user_id'].'|'.$cookie['expiration_time'], $cookie_seed.'_cookie_hash'), $cookie['cookie_hash']);
$is_authorized = hash_equals(forum_hmac($cookie['user_id'].'|'.$cookie['expiration_time'], $cookie_seed.'_cookie_hash'), $cookie['cookie_hash']);
if (!$is_authorized)
{
$expire = $now + 31536000; // The cookie expires after a year
@@ -47,7 +47,7 @@ function check_cookie(&$pun_user)
$pun_user = $db->fetch_assoc($result);
// If user authorisation failed
$is_authorized = pun_hash_equals(forum_hmac($pun_user['password'], $cookie_seed.'_password_hash'), $cookie['password_hash']);
$is_authorized = hash_equals(forum_hmac($pun_user['password'], $cookie_seed.'_password_hash'), $cookie['password_hash']);
if (!isset($pun_user['id']) || !$is_authorized)
{
$expire = $now + 31536000; // The cookie expires after a year
@@ -154,7 +154,7 @@ function authenticate_user($user, $password, $password_is_hash = false)
$result = $db->query('SELECT u.*, g.*, o.logged, o.idle FROM '.$db->prefix.'users AS u INNER JOIN '.$db->prefix.'groups AS g ON g.g_id=u.group_id LEFT JOIN '.$db->prefix.'online AS o ON o.user_id=u.id WHERE '.(is_int($user) ? 'u.id='.intval($user) : 'u.username=\''.$db->escape($user).'\'')) or error('Unable to fetch user info', __FILE__, __LINE__, $db->error());
$pun_user = $db->fetch_assoc($result);
$is_password_authorized = pun_hash_equals($password, $pun_user['password']);
$is_password_authorized = hash_equals($password, $pun_user['password']);
$is_hash_authorized = pun_password_verify($password, $pun_user['password']);
if (!isset($pun_user['id']) ||
@@ -1117,7 +1117,7 @@ function pun_password_hash($pass)
function pun_password_verify($pass, $hash)
{
if (!empty($hash) && $hash[0] !== '$')
return pun_hash_equals(pun_hash($pass), $hash);
return hash_equals(pun_hash($pass), $hash);
else
return password_verify($pass, $hash);
}
@@ -1132,15 +1132,15 @@ function pun_password_verify_legacy($pass, $hash, $salt = null)
{
// MD5 from 1.2
if (strlen($hash) < 40)
return pun_hash_equals(md5($pass), $hash);
return hash_equals(md5($pass), $hash);
// SHA1-With-Salt from 1.3
if (!empty($salt))
return pun_hash_equals(sha1($salt . sha1($pass)), $hash);
return hash_equals(sha1($salt . sha1($pass)), $hash);
// SHA1-Without-Salt from 1.4
if (strlen($hash) == 40)
return pun_hash_equals(sha1($pass), $hash);
return hash_equals(sha1($pass), $hash);
// Support current password standard
return pun_password_verify($pass, $hash);
@@ -1190,6 +1190,7 @@ function pun_hash($str)
//
// Compare two strings in constant time
// Inspired by WordPress
// @deprecated
//
function pun_hash_equals($a, $b)
{
@@ -1218,7 +1219,7 @@ function check_csrf($token)
{
global $lang_common;
$is_hash_authorized = pun_hash_equals($token, pun_csrf_token());
$is_hash_authorized = hash_equals($token, pun_csrf_token());
if (!isset($token) || !$is_hash_authorized)
message($lang_common['Bad csrf hash'], false, '404 Not Found');

0 comments on commit 82f0ae4

Please sign in to comment.