diff options
| author | Andrey Andreev <narf@devilix.net> | 2014-02-07 14:35:51 +0100 |
|---|---|---|
| committer | Andrey Andreev <narf@devilix.net> | 2014-02-07 14:35:51 +0100 |
| commit | ff6d1a80b75eb4303551be1f2708509757a85e50 (patch) | |
| tree | c84c6a397341c462f02aa236d2c406944ff20386 /system/libraries | |
| parent | 664b83e1d023e067d3b9bc75dbe96161236fd5f7 (diff) | |
| parent | c697a3bfdfc301718058a09fd5692fbecee6920a (diff) | |
Merge branch 'develop' into 'feature/user-guide-cleanup'
Diffstat (limited to 'system/libraries')
| -rw-r--r-- | system/libraries/Session/drivers/Session_cookie.php | 10 | ||||
| -rw-r--r-- | system/libraries/Zip.php | 2 |
2 files changed, 10 insertions, 2 deletions
diff --git a/system/libraries/Session/drivers/Session_cookie.php b/system/libraries/Session/drivers/Session_cookie.php index 971dfeabe..c8dfad6c9 100644 --- a/system/libraries/Session/drivers/Session_cookie.php +++ b/system/libraries/Session/drivers/Session_cookie.php @@ -395,7 +395,15 @@ class CI_Session_cookie extends CI_Session_driver { $hmac = substr($session, $len); $session = substr($session, 0, $len); - if ($hmac !== hash_hmac('sha1', $session, $this->encryption_key)) + // Time-attack-safe comparison + $hmac_check = hash_hmac('sha1', $session, $this->encryption_key); + $diff = 0; + for ($i = 0; $i < 40; $i++) + { + $diff |= ord($hmac[$i]) ^ ord($hmac_check[$i]); + } + + if ($diff !== 0) { log_message('error', 'The session cookie data did not match what was expected.'); $this->sess_destroy(); diff --git a/system/libraries/Zip.php b/system/libraries/Zip.php index b10b0bb0f..58f06455c 100644 --- a/system/libraries/Zip.php +++ b/system/libraries/Zip.php @@ -294,7 +294,7 @@ class CI_Zip { { $name = str_replace('\\', '/', $path); - if ($preserve_filepath === FALSE) + if ($archive_filepath === FALSE) { $name = preg_replace('|.*/(.+)|', '\\1', $name); } |