Use hash_equals when comparing to pwhash from cookie #1652
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
By submitting this pull request, I confirm the following:
git rebase
)git commit --signoff
)What does this PR aim to accomplish?:
As discussed at the Pi-hole security mailbox, opening a PR to address this:
In the file
scripts/pi-hole/php/password.php
for the Pi-hole web user interface, I noted that most comparisons are made in a time safe manner, however there is a single authentication relevant comparison made which does not utilise this protection. Namely here https://github.com/pi-hole/AdminLTE/blob/8ac95be7c1870b3c10824fdb70ed216ad334f0aa/scripts/pi-hole/php/password.php#L45 a basic (type safe) equality is made when comparing the string stored in the cookiepersistentlogin
to the password hash stored on disk. It may therefore be possible to infer the stored password hash by carrying out a timing attack against this parameter.This PR aims to prevent the possibility of a timing attack against the
persistentlogin
cookie to reveal the stored password hash.How does this PR accomplish the above?:
Use
hash_equals
for this comparison, as is currently done in similar operations.What documentation changes (if any) are needed to support this PR?:
None.