We use cookies to ensure you get the best experience on our website
Startseite Erkunden Hilfe
Registrieren Anmelden
0ct0pu5
/
yellow
1
0
Fork 0
Dateien Issues 0 Pull-Requests 0 Wiki
Quellcode durchsuchen

Updated token verification for @wunderfeyd

markseu vor 7 Jahren
Ursprung
95bfd98b79
Commit
6299c44a89
2 geänderte Dateien mit 22 neuen und 17 gelöschten Zeilen
Gesamtansicht Diff-Statistik anzeigen
  1. 10 4
      system/plugins/core.php
  2. 12 13
      system/plugins/edit.php

+ 10 - 4
system/plugins/core.php
Datei anzeigen 

@@ -3360,11 +3360,17 @@ class YellowToolbox
 
 		return $this->verifyToken($hashCalculated, $hash);
 
 		return $this->verifyToken($hashCalculated, $hash);
 
 	}
 
 	}
 
 	
 	
-	// Verify that text is identical, timing attack safe text string comparison
 
-	function verifyToken($text1, $text2)
 
+	// Verify that token is not empty and identical, timing attack safe text string comparison
 
+	function verifyToken($tokenExpected, $tokenReceived)
 
 	{
 
 	{
 
-		$ok = !empty($text1) && strlenb($text1)==strlenb($text2);
 
-		if($ok) for($i=0; $i<strlenb($text1); ++$i) $ok &= $text1[$i]==$text2[$i];
 
+		$ok = false;
 
+		$lengthExpected = strlenb($tokenExpected);
 
+		$lengthReceived = strlenb($tokenReceived);
 
+		if($lengthExpected!=0 && $lengthReceived!=0)
 
+		{
 
+			$ok = $lengthExpected==$lengthReceived;
 
+			for($i=0; $i<$lengthReceived; ++$i) $ok &= $tokenExpected[$i<$lengthExpected ? $i : 0]==$tokenReceived[$i];
 
+		}
 
 		return $ok;
 
 		return $ok;
 
 	}
 
 	}

+ 12 - 13
system/plugins/edit.php
Datei anzeigen 

@@ -1512,7 +1512,8 @@ class YellowUsers
 
 	// Create authentication token
 
 	// Create authentication token
 
 	function createAuthToken($email)
 
 	function createAuthToken($email)
 
 	{
 
 	{
 
-		$session = $this->createSession($email);
 
+		$session = $this->yellow->toolbox->createHash($this->users[$email]["hash"], "sha256");
 
+		if(empty($session)) $session = "padd"."error-hash-algorithm-sha256";
 
 		return substru($session, 4).$this->getStamp($email);
 
 		return substru($session, 4).$this->getStamp($email);
 
 	}
 
 	}
 
 	
 	
@@ -1522,14 +1523,6 @@ class YellowUsers
 
 		return $this->yellow->toolbox->createSalt(64);
 
 		return $this->yellow->toolbox->createSalt(64);
 
 	}
 
 	}
 
 	
 	
-	// Create user session
 
-	function createSession($email)
 
-	{
 
-		$session = $this->yellow->toolbox->createHash($this->users[$email]["hash"], "sha256");
 
-		if(empty($session)) $session = "error-hash-algorithm-sha256";
 
-		return $session;
 
-	}
 
-	
 	// Create user stamp
 
 	// Create user stamp
 
 	function createStamp()
 
 	function createStamp()
 
 	{
 
 	{
 
@@ -1664,11 +1657,17 @@ class YellowUsers
 
 		return $data;
 
 		return $data;
 
 	}
 
 	}
 
 	
 	
-	// Verify that text is identical, timing attack safe text string comparison
 
-	function verifyToken($text1, $text2) //TODO: remove later, use directly from core after next release
 
+	// Verify that token is not empty and identical, timing attack safe text string comparison
 
+	function verifyToken($tokenExpected, $tokenReceived) //TODO: remove later, use directly from core after next release
 
 	{
 
 	{
 
-		$ok = !empty($text1) && strlenb($text1)==strlenb($text2);
 
-		if($ok) for($i=0; $i<strlenb($text1); ++$i) $ok &= $text1[$i]==$text2[$i];
 
+		$ok = false;
 
+		$lengthExpected = strlenb($tokenExpected);
 
+		$lengthReceived = strlenb($tokenReceived);
 
+		if($lengthExpected!=0 && $lengthReceived!=0)
 
+		{
 
+			$ok = $lengthExpected==$lengthReceived;
 
+			for($i=0; $i<$lengthReceived; ++$i) $ok &= $tokenExpected[$i<$lengthExpected ? $i : 0]==$tokenReceived[$i];
 
+		}
 
 		return $ok;
 
 		return $ok;
 
 	}
 
 	}

Contact | Legal | Takedown | Status
Self-hosted public services - About
NibbleSpot by 0ct0pu5