security #cve-2019-18887 [HttpKernel] Use constant time comparison in UriSigner (stof)
This PR was merged into the 3.4 branch.
This commit is contained in:
commit
010213408e
|
@ -79,7 +79,7 @@ class UriSigner
|
|||
$hash = $params[$this->parameter];
|
||||
unset($params[$this->parameter]);
|
||||
|
||||
return $this->computeHash($this->buildUrl($url, $params)) === $hash;
|
||||
return hash_equals($this->computeHash($this->buildUrl($url, $params)), $hash);
|
||||
}
|
||||
|
||||
private function computeHash($uri)
|
||||
|
|
|
@ -21,6 +21,7 @@
|
|||
"symfony/http-foundation": "~3.4.12|~4.0.12|^4.1.1",
|
||||
"symfony/debug": "^3.3.3|~4.0",
|
||||
"symfony/polyfill-ctype": "~1.8",
|
||||
"symfony/polyfill-php56": "~1.8",
|
||||
"psr/log": "~1.0"
|
||||
},
|
||||
"require-dev": {
|
||||
|
|
Reference in New Issue