From: Daniel Supernault <danielsupernault@gmail.com>
Date: Mon, 12 Mar 2018 00:55:59 +0000 (-0600)
Subject: [CORE] Add timing safe backwards compatible password_verify
X-Git-Url: https://git.mxchange.org/?a=commitdiff_plain;h=ad51998d673bb76c7ab69bad92c212ebbaae7a22;p=quix0rs-gnu-social.git

[CORE] Add timing safe backwards compatible password_verify
---

diff --git a/plugins/AuthCrypt/AuthCryptPlugin.php b/plugins/AuthCrypt/AuthCryptPlugin.php
index b213e0483c..0f3e7a6f71 100644
--- a/plugins/AuthCrypt/AuthCryptPlugin.php
+++ b/plugins/AuthCrypt/AuthCryptPlugin.php
@@ -52,6 +52,13 @@ class AuthCryptPlugin extends AuthenticationPlugin
             return false;
         }
 
+        // Timing safe password verification on supported PHP versions
+        if (function_exists('password_verify')) {
+            if (password_verify($password, $user->password)) {
+                return $user;
+            }
+        }
+
         // crypt understands what the salt part of $user->password is
         if ($user->password === crypt($password, $user->password)) {
             return $user;