[5.3] Use time safe compare method in phpass library (#45477)

SniperSister · web-flow · commit f6bf6dced1c5 · 2025-05-19T07:52:55.000+02:00
diff --git a/administrator/manifests/libraries/phpass.xml b/administrator/manifests/libraries/phpass.xml
@@ -8,7 +8,7 @@
 	<authorEmail>solar@openwall.com</authorEmail>
 	<authorUrl>https://www.openwall.com/phpass/</authorUrl>
 	<license>PD / GWC</license>
-	<version>0.3</version>
+	<version>0.5.1</version>
 	<packagerurl>https://www.openwall.com/phpass/</packagerurl>
 
 	<files folder="phpass">
diff --git a/libraries/phpass/PasswordHash.php b/libraries/phpass/PasswordHash.php
@@ -2,7 +2,7 @@
 #
 # Portable PHP password hashing framework.
 #
-# Version 0.5 / genuine.
+# Version 0.5.1 / Joomla Project.
 #
 # Written by Solar Designer <solar at openwall.com> in 2004-2006 and placed in
 # the public domain.  Revised in subsequent years, still public domain.
@@ -216,11 +216,7 @@ function CheckPassword($password, $stored_hash)
 		if ($hash[0] === '*')
 			$hash = crypt($password, $stored_hash);
 
-		# This is not constant-time.  In order to keep the code simple,
-		# for timing safety we currently rely on the salts being
-		# unpredictable, which they are at least in the non-fallback
-		# cases (that is, when we use /dev/urandom and bcrypt).
-		return $hash === $stored_hash;
+		return hash_equals($hash, $stored_hash);
 	}
 }
 

Original file line number	Diff line number	Diff line change
`@@ -2,7 +2,7 @@`
`2`	`2`	`#`
`3`	`3`	`# Portable PHP password hashing framework.`
`4`	`4`	`#`
`5`		`-# Version 0.5 / genuine.`
	`5`	`+# Version 0.5.1 / Joomla Project.`
`6`	`6`	`#`
`7`	`7`	`# Written by Solar Designer <solar at openwall.com> in 2004-2006 and placed in`
`8`	`8`	`# the public domain. Revised in subsequent years, still public domain.`
`@@ -216,11 +216,7 @@ function CheckPassword($password, $stored_hash)`
`216`	`216`	`if ($hash[0] === '*')`
`217`	`217`	`$hash = crypt($password, $stored_hash);`
`218`	`218`
`219`		`- # This is not constant-time. In order to keep the code simple,`
`220`		`- # for timing safety we currently rely on the salts being`
`221`		`- # unpredictable, which they are at least in the non-fallback`
`222`		`- # cases (that is, when we use /dev/urandom and bcrypt).`
`223`		`- return $hash === $stored_hash;`
	`219`	`+ return hash_equals($hash, $stored_hash);`
`224`	`220`	`}`
`225`	`221`	`}`
`226`	`222`