security #cve-2019-18887 [HttpKernel] Use constant time comparison in UriSigner (stof)
This PR was merged into the 3.4 branch.
This commit is contained in:
commit
010213408e
@ -79,7 +79,7 @@ class UriSigner
|
|||||||
$hash = $params[$this->parameter];
|
$hash = $params[$this->parameter];
|
||||||
unset($params[$this->parameter]);
|
unset($params[$this->parameter]);
|
||||||
|
|
||||||
return $this->computeHash($this->buildUrl($url, $params)) === $hash;
|
return hash_equals($this->computeHash($this->buildUrl($url, $params)), $hash);
|
||||||
}
|
}
|
||||||
|
|
||||||
private function computeHash($uri)
|
private function computeHash($uri)
|
||||||
|
@ -21,6 +21,7 @@
|
|||||||
"symfony/http-foundation": "~3.4.12|~4.0.12|^4.1.1",
|
"symfony/http-foundation": "~3.4.12|~4.0.12|^4.1.1",
|
||||||
"symfony/debug": "^3.3.3|~4.0",
|
"symfony/debug": "^3.3.3|~4.0",
|
||||||
"symfony/polyfill-ctype": "~1.8",
|
"symfony/polyfill-ctype": "~1.8",
|
||||||
|
"symfony/polyfill-php56": "~1.8",
|
||||||
"psr/log": "~1.0"
|
"psr/log": "~1.0"
|
||||||
},
|
},
|
||||||
"require-dev": {
|
"require-dev": {
|
||||||
|
Reference in New Issue
Block a user