From 8c8f88ec2104ab0a12ceec4f5a8e2ebeb72758cc Mon Sep 17 00:00:00 2001
From: Patrick Canterino <patrick@patrick-canterino.de>
Date: Mon, 16 Jun 2025 12:13:44 +0200
Subject: [PATCH] Compare stored hashes for admin and download password using
 hash_equals()

This prevents timing attacks and attacks using Type Juggling

Originally proposed by onosh
---
 admin.php | 2 +-
 f.php     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/admin.php b/admin.php
index f8270a2..75cc38d 100644
--- a/admin.php
+++ b/admin.php
@@ -73,7 +73,7 @@ elseif (true === jirafeau_challenge_admin_ip($cfg, get_ip_address($cfg))) {
         }
         /* Test web password authentication. */
         elseif (!empty($cfg['admin_password']) && isset($_POST['admin_password'])) {
-            if ($cfg['admin_password'] === hash('sha256', $_POST['admin_password'])) {
+            if (hash_equals($cfg['admin_password'], hash('sha256', $_POST['admin_password']))) {
                 jirafeau_admin_session_start();
             } else {
                 require(JIRAFEAU_ROOT . 'lib/template/header.php');
diff --git a/f.php b/f.php
index f523f72..a93ec98 100644
--- a/f.php
+++ b/f.php
@@ -171,7 +171,7 @@ if (!empty($link['key'])) {
         require(JIRAFEAU_ROOT.'lib/template/footer.php');
         exit;
     } else {
-        if ($link['key'] == md5($_POST['key'])) {
+        if (hash_equals($link['key'], md5($_POST['key']))) {
             $password_challenged = true;
         } else {
             sleep(2);
-- 
2.43.0