PostERG/xamxam
1
0
Fork 0
mirror of https://codeberg.org/PostERG/xamxam.git synced 2026-06-25 16:19:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fix non-constant-time credential comparisons

Browse Source 
- account.php: replace !== CSRF token check with hash_equals
- ShareLink::setPassword(): also encrypt and store plain-text password
  alongside the hash, matching create() behavior so the decrypted_password
  decoration stays correct after password updates
This commit is contained in:
Pontoporeia
2026-05-31 17:49:39 +02:00
parent 6246174fc5
commit f398a0f1ff
3 changed files with 8 additions and 286 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
app/src/ShareLink.php
View File

@@ -211,9 +211,10 @@ class ShareLink
public function setPassword(int $id, ?string $password): void
{
$hash = $password !== null ? password_hash($password, PASSWORD_BCRYPT) : null;
$enc = $password !== null ? Crypto::encrypt($password) : null;
$this->db->getConnection()->prepare(
'UPDATE share_links SET password_hash = ? WHERE id = ?'
)->execute([$hash, $id]);
'UPDATE share_links SET password_hash = ?, encrypted_password = ? WHERE id = ?'
)->execute([$hash, $enc, $id]);
}
/**