From a4edbfa031eb4cd72678051f1510afde4f77951e Mon Sep 17 00:00:00 2001
From: Pierre Schmitz <pierre@archlinux.de>
Date: Fri, 28 Feb 2014 08:36:29 +0100
Subject: Update to MediaWiki 1.22.3

---
 includes/User.php | 22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

(limited to 'includes/User.php')

diff --git a/includes/User.php b/includes/User.php
index 12912e1c..62324043 100644
--- a/includes/User.php
+++ b/includes/User.php
@@ -984,7 +984,8 @@ class User {
 			# Get the token from DB/cache and clean it up to remove garbage padding.
 			# This deals with historical problems with bugs and the default column value.
 			$token = rtrim( $proposedUser->getToken( false ) ); // correct token
-			$passwordCorrect = ( strlen( $token ) && $token === $request->getCookie( 'Token' ) );
+			// Make comparison in constant time (bug 61346)
+			$passwordCorrect = strlen( $token ) && $this->compareSecrets( $token, $request->getCookie( 'Token' ) );
 			$from = 'cookie';
 		} else {
 			// No session or persistent login cookie
@@ -1003,6 +1004,25 @@ class User {
 		}
 	}
 
+	/**
+	 * A comparison of two strings, not vulnerable to timing attacks
+	 * @param string $answer the secret string that you are comparing against.
+	 * @param string $test compare this string to the $answer.
+	 * @return bool True if the strings are the same, false otherwise
+	 */
+	protected function compareSecrets( $answer, $test ) {
+		if ( strlen( $answer ) !== strlen( $test ) ) {
+			$passwordCorrect = false;
+		} else {
+			$result = 0;
+			for ( $i = 0; $i < strlen( $answer ); $i++ ) {
+				$result |= ord( $answer{$i} ) ^ ord( $test{$i} );
+			}
+			$passwordCorrect = ( $result == 0 );
+		}
+		return $passwordCorrect;
+	}
+
 	/**
 	 * Load user and user_group data from the database.
 	 * $this->mId must be set, this is how the user is identified.
-- 
cgit v1.2.3-54-g00ecf