X-Git-Url: https://git.heureux-cyclage.org/?a=blobdiff_plain;f=includes%2Fspecials%2FSpecialRunJobs.php;h=4c8c8f308108d8cc309aa2e33476c69493d931bd;hb=f4471830752b5f33750fdd3abdc532e679bbf969;hp=63eff36ca3eefb9e84f11cd1db1df27b2ce9a387;hpb=27f8aa732e55f0655255152fa22655fa07424c2d;p=lhc%2Fweb%2Fwiklou.git

diff --git a/includes/specials/SpecialRunJobs.php b/includes/specials/SpecialRunJobs.php
index 63eff36ca3..4c8c8f3081 100644
--- a/includes/specials/SpecialRunJobs.php
+++ b/includes/specials/SpecialRunJobs.php
@@ -64,19 +64,7 @@ class SpecialRunJobs extends UnlistedSpecialPage {
 		$cSig = self::getQuerySignature( $squery ); // correct signature
 		$rSig = $params['signature']; // provided signature
 
-		// Constant-time signature verification
-		// http://www.emerose.com/timing-attacks-explained
-		// @todo Make a common method for this
-		if ( !is_string( $rSig ) || strlen( $rSig ) !== strlen( $cSig ) ) {
-			$verified = false;
-		} else {
-			$result = 0;
-			$cSigLength = strlen( $cSig );
-			for ( $i = 0; $i < $cSigLength; $i++ ) {
-				$result |= ord( $cSig[$i] ) ^ ord( $rSig[$i] );
-			}
-			$verified = ( $result == 0 );
-		}
+		$verified = is_string( $rSig ) && hash_equals( $cSig, $rSig );
 		if ( !$verified || $params['sigexpiry'] < time() ) {
 			header( "HTTP/1.0 400 Bad Request" );
 			print 'Invalid or stale signature provided';