This prevents timing attacks and attacks using Type Juggling
Originally proposed by onosh
}
/* Test web password authentication. */
elseif (!empty($cfg['admin_password']) && isset($_POST['admin_password'])) {
- if ($cfg['admin_password'] === hash('sha256', $_POST['admin_password'])) {
+ if (hash_equals($cfg['admin_password'], hash('sha256', $_POST['admin_password']))) {
jirafeau_admin_session_start();
} else {
require(JIRAFEAU_ROOT . 'lib/template/header.php');
require(JIRAFEAU_ROOT.'lib/template/footer.php');
exit;
} else {
- if ($link['key'] == md5($_POST['key'])) {
+ if (hash_equals($link['key'], md5($_POST['key']))) {
$password_challenged = true;
} else {
sleep(2);