Skip to content

Commit

Permalink
Using hash_equals() to avoid timing attacks.
Browse files Browse the repository at this point in the history
  • Loading branch information
@renintw
renintw committed Sep 26, 2023
1 parent ee1825f commit fc01e42
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion public_html/wp-content/plugins/wordcamp-organizer-survey/wordcamp-organizer-survey.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -142,7 +142,7 @@ function validate_token_on_debrief_survey() {
$expected_token = hash_hmac( 'sha1', base64_decode( $wordcamp_id ), ORGANIZER_SURVEY_ACCESS_TOKEN_KEY );

// Check if the request is a form submission. If not, then validate the token.
if ( 'POST' !== $_SERVER['REQUEST_METHOD'] && $token !== $expected_token ) {
if ( 'POST' !== $_SERVER['REQUEST_METHOD'] && ! hash_equals( $expected_token, $token ) ) {
wp_die('Invalid access token.');
} else {
$wordcamp_post_data = get_wordcamp_post(base64_decode( $wordcamp_id ));
Expand Down

0 comments on commit fc01e42

Please sign in to comment.