tyler.durden/icingaweb2-module-director
1
0
Fork 0
mirror of https://github.com/Icinga/icingaweb2-module-director.git synced 2025-09-24 02:17:42 +02:00
Code Issues Packages Projects Releases Wiki Activity

Self service: fix timing attack

Browse Source 
Compare icinga_host.api_key ("known_string") via hash_equals().
This commit is contained in:
Alexander A. Klimov 2025-06-11 11:38:05 +02:00
parent 5ce23b2cbf
commit 301455f5ed
1 changed files with 7 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
library/Director/Objects/IcingaHost.php
View File

@ -585,13 +585,15 @@ class IcingaHost extends IcingaObject implements ExportInterface
$query = $db->getDbAdapter()
->select()
->from('icinga_host')
->where('api_key = ?', $key);
->where('api_key IS NOT NULL')
->query();
$result = self::loadAll($db, $query);
if (count($result) !== 1) {
throw new NotFoundError('Got invalid API key "%s"', $key);
foreach ($query as $row) {
if (hash_equals($row->api_key, $key)) {
return (new static())->setConnection($db)->setDbProperties($row);
}
}
return current($result);
throw new NotFoundError('Got invalid API key "%s"', $key);
}
}