Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
T
tfa-3405375
Manage
Activity
Members
Labels
Plan
Custom issue tracker
Code
Merge requests
0
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Locked files
Build
Pipelines
Jobs
Pipeline schedules
Artifacts
Deploy
Model registry
Analyze
Value stream analytics
Contributor analytics
CI/CD analytics
Repository analytics
Code review analytics
Insights
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Terms and privacy
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
Issue forks
tfa-3405375
Commits
5b0eb457
Commit
5b0eb457
authored
4 years ago
by
João Ventura
Committed by
Joao Ventura
4 years ago
Browse files
Options
Downloads
Patches
Plain Diff
Issue
#3183248
by jcnventura, greggles, Mingsong: Prevent timing attack on code validation
parent
886e938e
No related branches found
Branches containing commit
Tags
8.x-1.0-alpha6
Tags containing commit
No related merge requests found
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
src/Plugin/TfaBasePlugin.php
+1
-1
1 addition, 1 deletion
src/Plugin/TfaBasePlugin.php
src/Plugin/TfaValidation/TfaRecoveryCode.php
+1
-1
1 addition, 1 deletion
src/Plugin/TfaValidation/TfaRecoveryCode.php
with
2 additions
and
2 deletions
src/Plugin/TfaBasePlugin.php
+
1
−
1
View file @
5b0eb457
...
...
@@ -161,7 +161,7 @@ abstract class TfaBasePlugin extends PluginBase {
* Whether code is valid.
*/
protected
function
validate
(
$code
)
{
if
((
string
)
$code
===
(
string
)
$this
->
code
)
{
if
(
hash_equals
((
string
)
$code
,
(
string
)
$this
->
code
)
)
{
$this
->
isValid
=
TRUE
;
return
TRUE
;
}
...
...
This diff is collapsed.
Click to expand it.
src/Plugin/TfaValidation/TfaRecoveryCode.php
+
1
−
1
View file @
5b0eb457
...
...
@@ -239,7 +239,7 @@ class TfaRecoveryCode extends TfaBasePlugin implements TfaValidationInterface, C
$code
=
str_replace
(
' '
,
''
,
$code
);
foreach
(
$codes
as
$id
=>
$stored
)
{
// Remove spaces from stored code.
if
(
trim
(
str_replace
(
' '
,
''
,
$stored
))
===
$code
)
{
if
(
hash_equals
(
trim
(
str_replace
(
' '
,
''
,
$stored
))
,
$code
)
)
{
$this
->
isValid
=
TRUE
;
unset
(
$codes
[
$id
]);
$this
->
storeCodes
(
$codes
);
...
...
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment