Page MenuHomePhabricator

Use phutil_hashes_are_identical() when comparing hashes in Phabricator
ClosedPublic

Authored by epriestley on Sep 1 2015, 2:39 AM.
Tags
None
Referenced Files
F14360542: D14026.diff
Fri, Dec 20, 10:23 AM
Unknown Object (File)
Thu, Dec 19, 12:55 AM
Unknown Object (File)
Mon, Dec 9, 9:13 AM
Unknown Object (File)
Sat, Dec 7, 2:39 AM
Unknown Object (File)
Sun, Nov 24, 9:56 AM
Unknown Object (File)
Wed, Nov 20, 2:15 PM
Unknown Object (File)
Nov 19 2024, 1:18 PM
Unknown Object (File)
Oct 27 2024, 1:18 AM

Details

Summary

See D14025. In all cases where we compare hashes, use strict, constant-time comparisons.

Test Plan

Logged in, logged out, added TOTP, ran Conduit, terminated sessions, submitted forms, changed password. Tweaked CSRF token, got rejected.

Diff Detail

Repository
rP Phabricator
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

epriestley retitled this revision from to Use phutil_hashes_are_identical() when comparing hashes in Phabricator.
epriestley updated this object.
epriestley edited the test plan for this revision. (Show Details)
epriestley added a reviewer: chad.
src/applications/people/storage/PhabricatorUser.php
411–412

The extra changes here are just following through with this and removing support for the plain CSRF tokens. The BREACH tokens have been in the wild for a little over a year, now.

chad edited edge metadata.
This revision is now accepted and ready to land.Sep 1 2015, 2:46 AM
This revision was automatically updated to reflect the committed changes.