Update to MediaWiki 1.26.1

author: Pierre Schmitz <pierre@archlinux.de> 2015-12-18 06:04:58 +0100
committer: Pierre Schmitz <pierre@archlinux.de> 2015-12-18 06:04:58 +0100
commit: 257401d8b2cf661adf36c84b0e3fd1cf85e33c22 (patch)
tree: f8c25e7fa0c2ba18f27c52415c19cb579a316178 /includes/User.php
parent: a1789ddde42033f1b05cc4929491214ee6e79383 (diff)
1 files changed, 3 insertions, 4 deletions
diff --git a/includes/User.php b/includes/User.php
index 22c90cdd..199dd1dc 100644
--- a/includes/User.php
+++ b/includes/User.php
@@ -1029,11 +1029,10 @@ class User implements IDBAccessObject {
 		// stopping at a minimum of 10 chars.
 		$length = max( 10, $wgMinimalPasswordLength );
 		// Multiply by 1.25 to get the number of hex characters we need
-		$length = $length * 1.25;
 		// Generate random hex chars
-		$hex = MWCryptRand::generateHex( $length );
+		$hex = MWCryptRand::generateHex( ceil( $length * 1.25 ) );
 		// Convert from base 16 to base 32 to get a proper password like string
-		return wfBaseConvert( $hex, 16, 32 );
+		return substr( wfBaseConvert( $hex, 16, 32, $length ), -$length );
 	}
 
 	/**
@@ -4177,7 +4176,7 @@ class User implements IDBAccessObject {
 			$salt, $request ?: $this->getRequest(), $timestamp
 		);
 
-		if ( $val != $sessionToken ) {
+		if ( !hash_equals( $sessionToken, $val ) ) {
 			wfDebug( "User::matchEditToken: broken session data\n" );
 		}
author	Pierre Schmitz <pierre@archlinux.de>	2015-12-18 06:04:58 +0100
committer	Pierre Schmitz <pierre@archlinux.de>	2015-12-18 06:04:58 +0100
commit	257401d8b2cf661adf36c84b0e3fd1cf85e33c22 (patch)
tree	f8c25e7fa0c2ba18f27c52415c19cb579a316178 /includes/User.php
parent	a1789ddde42033f1b05cc4929491214ee6e79383 (diff)