mod_http_upload_external: share.php: Use hash_equals() if available to protect against timing attack
--- a/mod_http_upload_external/share.php Sat Aug 04 16:10:40 2018 +0200
+++ b/mod_http_upload_external/share.php Tue Aug 07 19:12:52 2018 +0100
@@ -74,11 +74,20 @@
$upload_token = $_GET['v'];
$calculated_token = hash_hmac('sha256', "$upload_file_name $upload_file_size", $CONFIG_SECRET);
- if($upload_token !== $calculated_token) {
- header('HTTP/1.0 403 Forbidden');
- exit;
+ if(function_exists('hash_equals')) {
+ if(hash_equals($calculated_token, $upload_token) !== TRUE) {
+ error_log("Token mismatch: calculated $calculated_token got $upload_token");
+ header('HTTP/1.0 403 Forbidden');
+ exit;
+ }
}
-
+ else {
+ if($upload_token !== $calculated_token) {
+ error_log("Token mismatch: calculated $calculated_token got $upload_token");
+ header('HTTP/1.0 403 Forbidden');
+ exit;
+ }
+ }
/* Open a file for writing */
$store_file = fopen($store_file_name, 'x');