使用严等于来修复某些极端情况下密码可被绕过的漏洞
This commit is contained in:
@@ -967,9 +967,9 @@ EOF;
|
||||
{
|
||||
if ('$T$' == substr($to, 0, 3)) {
|
||||
$salt = substr($to, 3, 9);
|
||||
return self::hash($from, $salt) == $to;
|
||||
return self::hash($from, $salt) === $to;
|
||||
} else {
|
||||
return md5($from) == $to;
|
||||
return md5($from) === $to;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -717,7 +717,7 @@ class Widget_Abstract_Contents extends Widget_Abstract
|
||||
|
||||
/** 处理密码保护流程 */
|
||||
if (!empty($value['password']) &&
|
||||
$value['password'] != Typecho_Cookie::get('protectPassword') &&
|
||||
$value['password'] !== Typecho_Cookie::get('protectPassword') &&
|
||||
$value['authorId'] != $this->user->uid &&
|
||||
!$this->user->pass('editor', true)) {
|
||||
$value['hidden'] = true;
|
||||
|
||||
Reference in New Issue
Block a user