Changeset View
Changeset View
Standalone View
Standalone View
src/applications/auth/engine/PhabricatorAuthCSRFEngine.php
Context not available. | |||||
// We expect a BREACH-mitigating token. See T3684. | // We expect a BREACH-mitigating token. See T3684. | ||||
$breach_prefix = $this->getBREACHPrefix(); | $breach_prefix = $this->getBREACHPrefix(); | ||||
$breach_prelen = strlen($breach_prefix); | $breach_prelen = @strlen($breach_prefix); | ||||
if (strncmp($token, $breach_prefix, $breach_prelen) !== 0) { | if (strncmp($token, $breach_prefix, $breach_prelen) !== 0) { | ||||
return false; | return false; | ||||
} | } | ||||
$salt = substr($token, $breach_prelen, $salt_length); | $salt = @substr($token, $breach_prelen, $salt_length); | ||||
$token = substr($token, $breach_prelen + $salt_length); | $token = @substr($token, $breach_prelen + $salt_length); | ||||
foreach ($this->getWindowOffsets() as $offset) { | foreach ($this->getWindowOffsets() as $offset) { | ||||
$expect_token = $this->newRawToken($salt, $offset); | $expect_token = $this->newRawToken($salt, $offset); | ||||
Context not available. | |||||
$secret.$time_block.$salt, | $secret.$time_block.$salt, | ||||
'csrf'); | 'csrf'); | ||||
return substr($hash, 0, $this->getTokenLength()); | return @substr($hash, 0, $this->getTokenLength()); | ||||
} | } | ||||
private function getBREACHPrefix() { | private function getBREACHPrefix() { | ||||
Context not available. |
Content licensed under Creative Commons Attribution-ShareAlike 4.0 (CC-BY-SA) unless otherwise noted; code licensed under Apache 2.0 or other open source licenses. · CC BY-SA 4.0 · Apache 2.0