From 23151ed1380c3212b9647c62f2385da00a6fe379 Mon Sep 17 00:00:00 2001
From: Christophe Coevoet <stof@notk.org>
Date: Fri, 24 May 2019 12:09:27 +0200
Subject: [PATCH] Use constant time comparison in UriSigner

---
 src/Symfony/Component/HttpKernel/UriSigner.php | 2 +-
 src/Symfony/Component/HttpKernel/composer.json | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/Symfony/Component/HttpKernel/UriSigner.php b/src/Symfony/Component/HttpKernel/UriSigner.php
index 481270da51..ffe31a2121 100644
--- a/src/Symfony/Component/HttpKernel/UriSigner.php
+++ b/src/Symfony/Component/HttpKernel/UriSigner.php
@@ -79,7 +79,7 @@ class UriSigner
         $hash = $params[$this->parameter];
         unset($params[$this->parameter]);
 
-        return $this->computeHash($this->buildUrl($url, $params)) === $hash;
+        return hash_equals($this->computeHash($this->buildUrl($url, $params)), $hash);
     }
 
     private function computeHash($uri)
diff --git a/src/Symfony/Component/HttpKernel/composer.json b/src/Symfony/Component/HttpKernel/composer.json
index f47f1162d1..7f471c680e 100644
--- a/src/Symfony/Component/HttpKernel/composer.json
+++ b/src/Symfony/Component/HttpKernel/composer.json
@@ -21,6 +21,7 @@
         "symfony/http-foundation": "~3.4.12|~4.0.12|^4.1.1",
         "symfony/debug": "^3.3.3|~4.0",
         "symfony/polyfill-ctype": "~1.8",
+        "symfony/polyfill-php56": "~1.8",
         "psr/log": "~1.0"
     },
     "require-dev": {