mirror of https://codeberg.org/PostERG/xamxam.git synced 2026-06-25 16:19:19 +02:00

Files

Pontoporeia f398a0f1ff Fix non-constant-time credential comparisons

- account.php: replace !== CSRF token check with hash_equals
- ShareLink::setPassword(): also encrypt and store plain-text password
  alongside the hash, matching create() behavior so the decrypted_password
  decoration stays correct after password updates

2026-05-31 17:49:43 +02:00

337 B

Raw Blame History

TODO

Fix account.php: replace !== CSRF token check with hash_equals (constant-time comparison)
Fix ShareLink::setPassword(): also encrypt and store plain-text password, matching create() behavior
Audit: confirm all remaining credential comparison sites use constant-time hash_equals or password_verify

337 B Raw Blame History

TODO

337 B

Raw Blame History