use hash_equals to compare hashes

2e1f5aa3 · Daniel Ruf · 4eb6261c · 2e1f5aa3
Commit 2e1f5aa3 authored Feb 24, 2016 by Daniel Ruf
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 2 deletions

users.php qa-include/app/users.php +2 -2

No files found.
--- a/qa-include/app/users.php
+++ b/qa-include/app/users.php
@@ -367,7 +367,7 @@
 				$sessionuserid=@$_SESSION['qa_session_userid_'.$suffix];

 				if (isset($sessionuserid)) // check verify code matches
-					if (@$_SESSION['qa_session_verify_'.$suffix] != qa_session_verify_code($sessionuserid))
+					if (!hash_equals(qa_session_verify_code($sessionuserid), @$_SESSION['qa_session_verify_'.$suffix]))
 						qa_clear_session_user();

 				if (!empty($_COOKIE['qa_session'])) {
@@ -1178,7 +1178,7 @@ in a category for which they have elevated privileges).
 				}

 				if (empty($silentproblems) && empty($reportproblems))
-					if (strtolower(qa_calc_form_security_hash($action, $timestamp))!=strtolower($hash))
+					if (!hash_equals(strtolower(qa_calc_form_security_hash($action, $timestamp)), strtolower($hash)))
 						$reportproblems[]='code mismatch';

 			} else