Merge "UserTest: Cover User::isIP and User::isValidUserName better"

[lhc/web/wiklou.git] / includes / specials / SpecialRunJobs.php

diff --git a/includes/specials/SpecialRunJobs.php b/includes/specials/SpecialRunJobs.php
index 104cd54..4c8c8f3 100644 (file)
--- a/includes/specials/SpecialRunJobs.php
+++ b/includes/specials/SpecialRunJobs.php
@@ -64,18 +64,7 @@ class SpecialRunJobs extends UnlistedSpecialPage {
                $cSig = self::getQuerySignature( $squery ); // correct signature
                $rSig = $params['signature']; // provided signature
 
-               // Constant-time signature verification
-               // http://www.emerose.com/timing-attacks-explained
-               // @todo: make a common method for this
-               if ( !is_string( $rSig ) || strlen( $rSig ) !== strlen( $cSig ) ) {
-                       $verified = false;
-               } else {
-                       $result = 0;
-                       for ( $i = 0; $i < strlen( $cSig ); $i++ ) {
-                               $result |= ord( $cSig[$i] ) ^ ord( $rSig[$i] );
-                       }
-                       $verified = ( $result == 0 );
-               }
+               $verified = is_string( $rSig ) && hash_equals( $cSig, $rSig );
                if ( !$verified || $params['sigexpiry'] < time() ) {
                        header( "HTTP/1.0 400 Bad Request" );
                        print 'Invalid or stale signature provided';
@@ -117,7 +106,7 @@ class SpecialRunJobs extends UnlistedSpecialPage {
         *
         * @note: also called from Wiki.php
         *
-        * @param integer $maxJobs Maximum number of jobs to run
+        * @param int $maxJobs Maximum number of jobs to run
         * @return void
         */
        public static function executeJobs( $maxJobs ) {