public/tt-rss
1
0
Fork 0
mirror of https://git.tt-rss.org/git/tt-rss.git synced 2025-12-15 21:45:56 +00:00
Code Issues Releases Wiki Activity

auth_internal: use type-strict comparison when checking OTP code

Browse Source
This commit is contained in:
Andrew Dolgov
2020-09-17 08:46:57 +03:00
parent 89d53a7f49
commit 0757ad0406
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
plugins/auth_internal/init.php
View File

@@ -52,7 +52,7 @@ class Auth_Internal extends Plugin implements IAuthModule {
$totp_legacy = new \OTPHP\TOTP($secret_legacy); $totp_legacy = new \OTPHP\TOTP($secret_legacy);
$otp_check_legacy = $totp_legacy->now(); $otp_check_legacy = $totp_legacy->now();
if ($otp != $otp_check && $otp != $otp_check_legacy) { if ($otp !== $otp_check && $otp !== $otp_check_legacy) {
return false; return false;
} }
} else { } else {
@@ -260,8 +260,8 @@ class Auth_Internal extends Plugin implements IAuthModule {
} }
private function check_app_password($login, $password, $service) { private function check_app_password($login, $password, $service) {
$sth = $this->pdo->prepare("SELECT p.id, p.pwd_hash, u.id AS uid $sth = $this->pdo->prepare("SELECT p.id, p.pwd_hash, u.id AS uid
FROM ttrss_app_passwords p, ttrss_users u FROM ttrss_app_passwords p, ttrss_users u
WHERE p.owner_uid = u.id AND u.login = ? AND service = ?"); WHERE p.owner_uid = u.id AND u.login = ? AND service = ?");
$sth->execute([$login, $service]); $sth->execute([$login, $service]);