Updated _password_verify_sha1_legacy() to use hash_equals instead of a strict string comparison in order to mitigate timing attacks

benedmunds · web-flow · commit f08cd919e79d · 2022-03-23T14:15:03.000-04:00
This resolves #1555
diff --git a/models/Ion_auth_model.php b/models/Ion_auth_model.php
@@ -2776,7 +2776,7 @@ protected function _password_verify_sha1_legacy($identity, $password, $hashed_pa
 		}
 
 		// Now we can compare them
-		if($hashed_password === $hashed_password_db)
+		if(hash_equals($hashed_password, $hashed_password_db))
 		{
 			// Password is good, migrate it to latest
 			$result = $this->_set_password_db($identity, $password);

Original file line number	Diff line number	Diff line change
`@@ -2776,7 +2776,7 @@ protected function _password_verify_sha1_legacy($identity, $password, $hashed_pa`
`2776`	`2776`	`}`
`2777`	`2777`
`2778`	`2778`	`// Now we can compare them`
`2779`		`- if($hashed_password === $hashed_password_db)`
	`2779`	`+ if(hash_equals($hashed_password, $hashed_password_db))`
`2780`	`2780`	`{`
`2781`	`2781`	`// Password is good, migrate it to latest`
`2782`	`2782`	`$result = $this->_set_password_db($identity, $password);`