Skip to content
Permalink
Browse files Browse the repository at this point in the history
Use hash_equals for comparing token
Signed-off-by: Michal Čihař <michal@cihar.com>
  • Loading branch information
nijel committed Jan 19, 2016
1 parent dbb2673 commit ec0e88e
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 1 deletion.
2 changes: 1 addition & 1 deletion libraries/common.inc.php
Expand Up @@ -474,7 +474,7 @@
$token_provided = false;
if (PMA_isValid($_REQUEST['token'])) {
$token_provided = true;
$token_mismatch = ($_SESSION[' PMA_token '] != $_REQUEST['token']);
$token_mismatch = ! hash_equals($_SESSION[' PMA_token '], $_REQUEST['token']);
}

if ($token_mismatch) {
Expand Down
9 changes: 9 additions & 0 deletions libraries/core.lib.php
Expand Up @@ -998,3 +998,12 @@ function PMA_setGlobalDbOrTable($param)
$GLOBALS['url_params'][$param] = $GLOBALS[$param];
}
}

/* Compatibility with PHP < 5.6 */
if(! function_exists('hash_equals')) {
function hash_equals($a, $b) {
$ret = strlen($a) ^ strlen($b);
$ret |= array_sum(unpack("C*", $a ^ $b));
return ! $ret;
}
}

0 comments on commit ec0e88e

Please sign in to comment.