security #cve-2019-18887 [HttpKernel] Use constant time comparison in UriSigner (stof)

This PR was merged into the 3.4 branch.
This commit is contained in:
Nicolas Grekas 2019-11-12 13:47:53 +01:00
commit 010213408e
2 changed files with 2 additions and 1 deletions

View File

@ -79,7 +79,7 @@ class UriSigner
$hash = $params[$this->parameter];
unset($params[$this->parameter]);
return $this->computeHash($this->buildUrl($url, $params)) === $hash;
return hash_equals($this->computeHash($this->buildUrl($url, $params)), $hash);
}
private function computeHash($uri)

View File

@ -21,6 +21,7 @@
"symfony/http-foundation": "~3.4.12|~4.0.12|^4.1.1",
"symfony/debug": "^3.3.3|~4.0",
"symfony/polyfill-ctype": "~1.8",
"symfony/polyfill-php56": "~1.8",
"psr/log": "~1.0"
},
"require-dev": {