From: Patrick Canterino Date: Thu, 19 Jun 2025 11:56:59 +0000 (+0200) Subject: Fixes for issues #31 and #32 X-Git-Tag: 4.6.3~2 X-Git-Url: https://git.p6c8.net/jirafeau/pcanterino.git/commitdiff_plain/c4128fb71faf620d7957ff8c5fadba9303ad4da3?hp=eae7f48e501c8709a049d291069bc37150ecc1a1 Fixes for issues #31 and #32 See merge request jirafeau/Jirafeau!22 --- diff --git a/admin.php b/admin.php index f8270a2..75cc38d 100644 --- a/admin.php +++ b/admin.php @@ -73,7 +73,7 @@ elseif (true === jirafeau_challenge_admin_ip($cfg, get_ip_address($cfg))) { } /* Test web password authentication. */ elseif (!empty($cfg['admin_password']) && isset($_POST['admin_password'])) { - if ($cfg['admin_password'] === hash('sha256', $_POST['admin_password'])) { + if (hash_equals($cfg['admin_password'], hash('sha256', $_POST['admin_password']))) { jirafeau_admin_session_start(); } else { require(JIRAFEAU_ROOT . 'lib/template/header.php'); diff --git a/f.php b/f.php index f523f72..a93ec98 100644 --- a/f.php +++ b/f.php @@ -171,7 +171,7 @@ if (!empty($link['key'])) { require(JIRAFEAU_ROOT.'lib/template/footer.php'); exit; } else { - if ($link['key'] == md5($_POST['key'])) { + if (hash_equals($link['key'], md5($_POST['key']))) { $password_challenged = true; } else { sleep(2); diff --git a/lib/functions.php b/lib/functions.php index 7ac4c9e..f9fbd9b 100644 --- a/lib/functions.php +++ b/lib/functions.php @@ -623,7 +623,7 @@ function jirafeau_is_viewable($mime) if (!empty($mime)) { $viewable = array('image', 'video', 'audio'); $decomposed = explode('/', $mime); - if (in_array($decomposed[0], $viewable) && stripos($mime, 'image/svg+xml') === false) { + if (in_array($decomposed[0], $viewable) && stripos($mime, 'image/svg+xml') === false && strpos($mime, ',') === false) { return true; } $viewable = array('text/plain');