Skip to content

Commit ec0e88e

Browse files
committed
Use hash_equals for comparing token
Signed-off-by: Michal Čihař <michal@cihar.com>
1 parent dbb2673 commit ec0e88e

File tree

2 files changed

+10
-1
lines changed

2 files changed

+10
-1
lines changed

Diff for: libraries/common.inc.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -474,7 +474,7 @@
474474
$token_provided = false;
475475
if (PMA_isValid($_REQUEST['token'])) {
476476
$token_provided = true;
477-
$token_mismatch = ($_SESSION[' PMA_token '] != $_REQUEST['token']);
477+
$token_mismatch = ! hash_equals($_SESSION[' PMA_token '], $_REQUEST['token']);
478478
}
479479

480480
if ($token_mismatch) {

Diff for: libraries/core.lib.php

+9
Original file line numberDiff line numberDiff line change
@@ -998,3 +998,12 @@ function PMA_setGlobalDbOrTable($param)
998998
$GLOBALS['url_params'][$param] = $GLOBALS[$param];
999999
}
10001000
}
1001+
1002+
/* Compatibility with PHP < 5.6 */
1003+
if(! function_exists('hash_equals')) {
1004+
function hash_equals($a, $b) {
1005+
$ret = strlen($a) ^ strlen($b);
1006+
$ret |= array_sum(unpack("C*", $a ^ $b));
1007+
return ! $ret;
1008+
}
1009+
}

0 commit comments

Comments
 (0)