[#45477] - [5.3] Use time safe compare method in phpass library
- Fixed in Code Base
- 19 May 2025
- Medium
- Build: 5.3-dev
- # 45477
- Diff
- SniperSister:5.3-phppass-hashfix
User tests: Successful: Unsuccessful:
Summary of Changes
The phppass library shipped in core does not use a time-safe comparsion method for the hashes. It's not used in core and timing attacks in web apps are generally very difficult to perform, nevertheless a fix is straightforward.
Testing Instructions
Core Review
Actual result BEFORE applying this Pull Request
Non-Timesafe-Compare
Expected result AFTER applying this Pull Request
Timesafe-Compare
Link to documentations
Please select:
-
Documentation link for docs.joomla.org:
-
No documentation changes for docs.joomla.org needed
-
Pull Request link for manual.joomla.org:
-
No documentation changes for manual.joomla.org needed
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | External Library Libraries |
| Labels |
Added:
PR-5.3-dev
|
||
also I noticed that in the manifest it refers to 0.3 when this is 0.5
| Category | External Library Libraries | ⇒ | Administration External Library Libraries |
I have tested this item ✅ successfully on 9674bfb
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/45477.
I have tested this item ✅ successfully on 9674bfb
Syntactical/isolated tested against php versions, works with 5.6+.
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/45477.
| Status | Pending | ⇒ | Ready to Commit |
RTC
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/45477.
| Status | Ready to Commit | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2025-05-19 05:52:57 |
| Closed_By | ⇒ | bembelimen | |
| Labels |
Added:
RTC
|
||
Thx
joomla-cms/libraries/phpass/PasswordHash.php
Lines 16 to 18 in 7313d54