PostERG/xamxam
1
0
Fork 0
mirror of https://codeberg.org/PostERG/xamxam.git synced 2026-06-25 16:19:19 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
f398a0f1ff29320d457330fd18c769da5f06b36c
xamxam/TODO.md
Pontoporeia f398a0f1ff Fix non-constant-time credential comparisons 
- account.php: replace !== CSRF token check with hash_equals
- ShareLink::setPassword(): also encrypt and store plain-text password
  alongside the hash, matching create() behavior so the decrypted_password
  decoration stays correct after password updates
2026-05-31 17:49:43 +02:00

6 lines
337 B
Markdown
Raw Blame History

# TODO
- [x] Fix `account.php`: replace `!==` CSRF token check with `hash_equals` (constant-time comparison)
- [x] Fix `ShareLink::setPassword()`: also encrypt and store plain-text password, matching `create()` behavior
- [x] Audit: confirm all remaining credential comparison sites use constant-time `hash_equals` or `password_verify`
Reference in New Issue View Git Blame Copy Permalink