SECURITY: API: Use constant-time comparison for watchlist token

Avoids a theoretical timing attack.

Bug: T94116
Change-Id: Ia4a2b13bd5d3cd256c6b2deada224148dc2888a6

diff --git a/includes/api/ApiBase.php b/includes/api/ApiBase.php
index 393ff49..754c0ed 100644 (file)
--- a/includes/api/ApiBase.php
+++ b/includes/api/ApiBase.php
@@ -1229,7 +1229,7 @@ abstract class ApiBase extends ContextSource {
                                $this->dieUsage( 'Specified user does not exist', 'bad_wlowner' );
                        }
                        $token = $user->getOption( 'watchlisttoken' );
-                       if ( $token == '' || $token != $params['token'] ) {
+                       if ( $token == '' || !hash_equals( $token, $params['token'] ) ) {
                                $this->dieUsage(
                                        'Incorrect watchlist token provided -- please set a correct token in Special:Preferences',
                                        'bad_wltoken'