[Security] Use hash_equals for constant-time string comparison

2014-09-02 00:40:13 +02:00 · 2014-09-02 00:40:13 +02:00 · 03bd74bdea
parent b554961a5b
commit 03bd74bdea
1 changed files with 9 additions and 1 deletions
--- a/src/Symfony/Component/Security/Core/Util/StringUtils.php
+++ b/src/Symfony/Component/Security/Core/Util/StringUtils.php
@ -27,6 +27,7 @@ class StringUtils
     * Compares two strings.
     *
     * This method implements a constant-time algorithm to compare strings.
+     * Regardless of the used implementation, it will leak length information.
     *
     * @param string $knownString The string of known length to compare against
     * @param string $userInput   The string that the user can control
@ -35,6 +36,13 @@ class StringUtils
     */
    public static function equals($knownString, $userInput)
    {
+        $knownString = (string) $knownString;
+        $userInput = (string) $userInput;
+
+        if (function_exists('hash_equals')) {
+            return hash_equals($knownString, $userInput);
+        }
+
        $knownLen = strlen($knownString);
        $userLen = strlen($userInput);

@ -45,7 +53,7 @@ class StringUtils
        $result = $knownLen - $userLen;

        // Note that we ALWAYS iterate over the user-supplied length
-        // This is to prevent leaking length information
+        // This is to mitigate leaking length information
        for ($i = 0; $i < $userLen; $i++) {
            $result |= (ord($knownString[$i]) ^ ord($userInput[$i]));
        }