⚓ T94116 Api watchlist token should be compared in constant time
- ️Thu Mar 26 2015
The token comparison in ApiBase::getWatchlistUser() isn't constant time, so timing attack is theoretically possible.
Patch:
0001-SECURITY-API-Use-constant-time-comparison-for-watchl.patch1 KBDownload
- 1.25 - same as master (
0001-SECURITY-API-Use-constant-time-comparison-for-watchl.patch1 KBDownload
) - 1.24 - same as master (
0001-SECURITY-API-Use-constant-time-comparison-for-watchl.patch1 KBDownload
) - 1.23 -
0001-SECURITY-API-Use-constant-time-comparison-for-watchl.patch3 KBDownload
(include hash_equals)
Affected Versions:
Type: csrf