Use phutil_hashes_are_identical() when comparing hashes in Phabricator
29948eaa5bd2
Actions

Authored by epriestley <git@epriestley.com> on Sep 2 2015, 00:52.

Description

Use phutil_hashes_are_identical() when comparing hashes in Phabricator

Summary: See D14025. In all cases where we compare hashes, use strict, constant-time comparisons.

Test Plan: Logged in, logged out, added TOTP, ran Conduit, terminated sessions, submitted forms, changed password. Tweaked CSRF token, got rejected.

Reviewers: chad

Reviewed By: chad

Subscribers: chenxiruanhai

Committed

epriestley <git@epriestley.com>

Sep 2 2015, 00:52

Pushed

aubort

Jan 31 2017, 17:16

Parents

Branches

Unknown

Tags

Unknown

				Path
	M			src/applications/auth/controller/PhabricatorAuthController.php
	M			src/applications/auth/controller/PhabricatorAuthTerminateSessionController.php
	M			src/applications/auth/engine/PhabricatorAuthSessionEngine.php
	M			src/applications/auth/factor/PhabricatorTOTPAuthFactor.php
	M			src/applications/auth/provider/PhabricatorAuthProvider.php
	M			src/applications/conduit/controller/PhabricatorConduitAPIController.php
	M			src/applications/conduit/method/ConduitConnectConduitAPIMethod.php
	M			src/applications/metamta/controller/PhabricatorMetaMTAMailgunReceiveController.php
	M			src/applications/people/storage/PhabricatorUser.php
	M			src/applications/settings/panel/PhabricatorSessionsSettingsPanel.php
	M			src/infrastructure/util/password/PhabricatorPasswordHasher.php