Skip to content
Snippets Groups Projects
Commit 5b0eb457 authored by João Ventura's avatar João Ventura Committed by Joao Ventura
Browse files

Issue #3183248 by jcnventura, greggles, Mingsong: Prevent timing attack on code validation

parent 886e938e
No related branches found
Tags 8.x-1.0-alpha6
No related merge requests found
......@@ -161,7 +161,7 @@ abstract class TfaBasePlugin extends PluginBase {
* Whether code is valid.
*/
protected function validate($code) {
if ((string) $code === (string) $this->code) {
if (hash_equals((string) $code, (string) $this->code)) {
$this->isValid = TRUE;
return TRUE;
}
......
......@@ -239,7 +239,7 @@ class TfaRecoveryCode extends TfaBasePlugin implements TfaValidationInterface, C
$code = str_replace(' ', '', $code);
foreach ($codes as $id => $stored) {
// Remove spaces from stored code.
if (trim(str_replace(' ', '', $stored)) === $code) {
if (hash_equals(trim(str_replace(' ', '', $stored)), $code)) {
$this->isValid = TRUE;
unset($codes[$id]);
$this->storeCodes($codes);
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment