https://bugzilla.wikimedia.org/show_bug.cgi?id=61346

--- Comment #10 from Chris Steipp <cste...@wikimedia.org> ---
(In reply to T. Gries from comment #9)
> Not sure, if the following lines in your patch are correct as they make the
> function return quickly if the lenghts are unequal -> timing attack made easy
> 
>               if ( strlen( $answer ) !== strlen( $test ) ) {
> +                     $passwordCorrect = false;
> +             } else {

We could move this check out of the function, so the function is always
constant time. But in this context, MediaWiki user tokens have been 32
characters since 2004, so knowing that the token is 32 characters doesn't give
an attacker any extra information.

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

Reply via email to