From 19bb3987ae12e5f151f91452f93cfa7ea1661d66 Mon Sep 17 00:00:00 2001
From: "Niklas (Krymonota)" <Krymonota@users.noreply.github.com>
Date: Wed, 12 Aug 2020 15:59:26 +0200
Subject: [PATCH] Use timing safe comparison to validate `state` parameter for
 social login

The Twitter social login is left out because the implementation still uses OAuth 1.0, which does not support the `state` parameter.

Closes #3501
---
 wcfsetup/install/files/lib/action/FacebookAuthAction.class.php | 2 +-
 wcfsetup/install/files/lib/action/GithubAuthAction.class.php   | 2 +-
 wcfsetup/install/files/lib/action/GoogleAuthAction.class.php   | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/wcfsetup/install/files/lib/action/FacebookAuthAction.class.php b/wcfsetup/install/files/lib/action/FacebookAuthAction.class.php
index 4060862bce..ab50f7e87f 100644
--- a/wcfsetup/install/files/lib/action/FacebookAuthAction.class.php
+++ b/wcfsetup/install/files/lib/action/FacebookAuthAction.class.php
@@ -68,7 +68,7 @@ class FacebookAuthAction extends AbstractAction {
 			}
 			
 			// validate state, validation of state is executed after fetching the access_token to invalidate 'code'
-			if (!isset($_GET['state']) || $_GET['state'] != WCF::getSession()->getVar('__facebookInit')) throw new IllegalLinkException();
+			if (!isset($_GET['state']) || !\hash_equals(WCF::getSession()->getVar('__facebookInit'), $_GET['state'])) throw new IllegalLinkException();
 			WCF::getSession()->unregister('__facebookInit');
 			
 			try {
diff --git a/wcfsetup/install/files/lib/action/GithubAuthAction.class.php b/wcfsetup/install/files/lib/action/GithubAuthAction.class.php
index 8192670f6d..db95872029 100644
--- a/wcfsetup/install/files/lib/action/GithubAuthAction.class.php
+++ b/wcfsetup/install/files/lib/action/GithubAuthAction.class.php
@@ -64,7 +64,7 @@ class GithubAuthAction extends AbstractAction {
 			}
 			
 			// validate state, validation of state is executed after fetching the access_token to invalidate 'code'
-			if (!isset($_GET['state']) || $_GET['state'] != WCF::getSession()->getVar('__githubInit')) throw new IllegalLinkException();
+			if (!isset($_GET['state']) || !\hash_equals(WCF::getSession()->getVar('__githubInit'), $_GET['state'])) throw new IllegalLinkException();
 			WCF::getSession()->unregister('__githubInit');
 			
 			parse_str($content, $data);
diff --git a/wcfsetup/install/files/lib/action/GoogleAuthAction.class.php b/wcfsetup/install/files/lib/action/GoogleAuthAction.class.php
index 8211988ed4..d3f349afa8 100644
--- a/wcfsetup/install/files/lib/action/GoogleAuthAction.class.php
+++ b/wcfsetup/install/files/lib/action/GoogleAuthAction.class.php
@@ -67,7 +67,7 @@ class GoogleAuthAction extends AbstractAction {
 			}
 			
 			// validate state, validation of state is executed after fetching the access_token to invalidate 'code'
-			if (!isset($_GET['state']) || $_GET['state'] != WCF::getSession()->getVar('__googleInit')) throw new IllegalLinkException();
+			if (!isset($_GET['state']) || !\hash_equals(WCF::getSession()->getVar('__googleInit'), $_GET['state'])) throw new IllegalLinkException();
 			WCF::getSession()->unregister('__googleInit');
 			
 			$data = JSON::decode($content);
-- 
2.20.1