From 45cfb44df873a5b18d8b4973e0f4b0397adecaad Mon Sep 17 00:00:00 2001
From: Anthony Ferrara <ircmaxell@gmail.com>
Date: Mon, 23 Mar 2015 15:15:15 -0400
Subject: [PATCH] Change behavior to mirror hash_equals() returning early if
 there is a length mismatch

---
 .../Security/Core/Util/StringUtils.php         | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/src/Symfony/Component/Security/Core/Util/StringUtils.php b/src/Symfony/Component/Security/Core/Util/StringUtils.php
index c43a41a1c7..c44176a73e 100644
--- a/src/Symfony/Component/Security/Core/Util/StringUtils.php
+++ b/src/Symfony/Component/Security/Core/Util/StringUtils.php
@@ -38,10 +38,6 @@ class StringUtils
      */
     public static function equals($knownString, $userInput)
     {
-        if (function_exists('hash_equals')) {
-            return hash_equals($knownString, $userInput);
-        }
-
         // Avoid making unnecessary duplications of secret data
         if (!is_string($knownString)) {
             $knownString = (string) $knownString;
@@ -51,16 +47,20 @@ class StringUtils
             $userInput = (string) $userInput;
         }
 
+        if (function_exists('hash_equals')) {
+            return hash_equals($knownString, $userInput);
+        }
+
         $knownLen = self::safeStrlen($knownString);
         $userLen = self::safeStrlen($userInput);
 
-        // Set the result to the difference between the lengths
-        $result = $knownLen - $userLen;
+		if ($userLen != $knownLen) {
+            return false;
+        }
 
-        // Always iterate over the minimum length possible.
-        $iterationLen = min($knownLen, $userLen);
+        $result = 0;
 
-        for ($i = 0; $i < $iterationLen; $i++) {
+        for ($i = 0; $i < $knownLen; $i++) {
             $result |= (ord($knownString[$i]) ^ ord($userInput[$i]));
         }