Compare the API key with a timing safe function

JVMerkle · JVMerkle · commit 502a74d1e4a0 · 2021-01-26T18:05:21.000+01:00
diff --git a/api/index.php b/api/index.php
@@ -14,7 +14,7 @@
 if (isset($_GET['apikey'])) {
 	$matchkey = 0;
 	foreach($cfg['stats_api_keys'] as $apikey => $desc) {
-		if ($apikey == $_GET['apikey']) $matchkey = 1;
+		if (hash_equals($apikey, $_GET['apikey'])) $matchkey = 1;
 	}
 	if ($matchkey == 0) {
 		$json = array(
@@ -494,4 +494,4 @@
 }
 
 echo json_encode($json);
-?>
+?>

Original file line number	Diff line number	Diff line change
`@@ -14,7 +14,7 @@`
`14`	`14`	`if (isset($_GET['apikey'])) {`
`15`	`15`	`$matchkey = 0;`
`16`	`16`	`foreach($cfg['stats_api_keys'] as $apikey => $desc) {`
`17`		`- if ($apikey == $_GET['apikey']) $matchkey = 1;`
	`17`	`+ if (hash_equals($apikey, $_GET['apikey'])) $matchkey = 1;`
`18`	`18`	`}`
`19`	`19`	`if ($matchkey == 0) {`
`20`	`20`	`$json = array(`
`@@ -494,4 +494,4 @@`
`494`	`494`	`}`
`495`	`495`
`496`	`496`	`echo json_encode($json);`
`497`		`-?>`
	`497`	`+?>`