prevent timing attacks in digest auth listener
This commit is contained in:
parent
557ea17eeb
commit
819aa54fe4
|
@ -66,7 +66,7 @@ class DefaultCsrfProvider implements CsrfProviderInterface
|
||||||
return StringUtils::equals($expectedToken, $token);
|
return StringUtils::equals($expectedToken, $token);
|
||||||
}
|
}
|
||||||
|
|
||||||
return $token === $this->generateCsrfToken($intention);
|
return $token === $expectedToken;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
|
@ -13,6 +13,7 @@ namespace Symfony\Component\Security\Http\Firewall;
|
||||||
|
|
||||||
use Symfony\Component\Security\Core\SecurityContextInterface;
|
use Symfony\Component\Security\Core\SecurityContextInterface;
|
||||||
use Symfony\Component\Security\Core\User\UserProviderInterface;
|
use Symfony\Component\Security\Core\User\UserProviderInterface;
|
||||||
|
use Symfony\Component\Security\Core\Util\StringUtils;
|
||||||
use Symfony\Component\Security\Http\EntryPoint\DigestAuthenticationEntryPoint;
|
use Symfony\Component\Security\Http\EntryPoint\DigestAuthenticationEntryPoint;
|
||||||
use Psr\Log\LoggerInterface;
|
use Psr\Log\LoggerInterface;
|
||||||
use Symfony\Component\HttpKernel\Event\GetResponseEvent;
|
use Symfony\Component\HttpKernel\Event\GetResponseEvent;
|
||||||
|
@ -99,7 +100,7 @@ class DigestAuthenticationListener implements ListenerInterface
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
if ($serverDigestMd5 !== $digestAuth->getResponse()) {
|
if (!StringUtils::equals($serverDigestMd5, $digestAuth->getResponse())) {
|
||||||
if (null !== $this->logger) {
|
if (null !== $this->logger) {
|
||||||
$this->logger->debug(sprintf('Expected response: "%s" but received: "%s"; is AuthenticationDao returning clear text passwords?', $serverDigestMd5, $digestAuth->getResponse()));
|
$this->logger->debug(sprintf('Expected response: "%s" but received: "%s"; is AuthenticationDao returning clear text passwords?', $serverDigestMd5, $digestAuth->getResponse()));
|
||||||
}
|
}
|
||||||
|
|
Reference in New Issue