diogo
/
symfony
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Change behavior to mirror hash_equals() returning early if there is a length mismatch

This commit is contained in:
Anthony Ferrara 2015-03-23 15:15:15 -04:00 committed by Fabien Potencier
parent 8269589c91
commit 45cfb44df8
1 changed files with 9 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
src/Symfony/Component/Security/Core/Util/StringUtils.php
View File

@ -38,10 +38,6 @@ class StringUtils
*/
public static function equals($knownString, $userInput)
{
if (function_exists('hash_equals')) {
return hash_equals($knownString, $userInput);
}
// Avoid making unnecessary duplications of secret data
if (!is_string($knownString)) {
$knownString = (string) $knownString;
@ -51,16 +47,20 @@ class StringUtils
$userInput = (string) $userInput;
}
if (function_exists('hash_equals')) {
return hash_equals($knownString, $userInput);
}
$knownLen = self::safeStrlen($knownString);
$userLen = self::safeStrlen($userInput);
// Set the result to the difference between the lengths
$result = $knownLen - $userLen;
if ($userLen != $knownLen) {
return false;
}
// Always iterate over the minimum length possible.
$iterationLen = min($knownLen, $userLen);
$result = 0;
for ($i = 0; $i < $iterationLen; $i++) {
for ($i = 0; $i < $knownLen; $i++) {
$result |= (ord($knownString[$i]) ^ ord($userInput[$i]));
}