security #cve-2019-18887 [HttpKernel] Use constant time comparison in UriSigner (stof)

This PR was merged into the 4.2 branch.
2019-11-12 13:54:13 +01:00 · 2019-11-12 13:54:13 +01:00 · 9cbe360d68
parent 9fa32f4ba1 cccefe6a7f
commit 9cbe360d68
2 changed files with 2 additions and 1 deletions
--- a/src/Symfony/Component/HttpKernel/UriSigner.php
+++ b/src/Symfony/Component/HttpKernel/UriSigner.php
@ -79,7 +79,7 @@ class UriSigner
        $hash = $params[$this->parameter];
        unset($params[$this->parameter]);

-        return $this->computeHash($this->buildUrl($url, $params)) === $hash;
+        return hash_equals($this->computeHash($this->buildUrl($url, $params)), $hash);
    }

    private function computeHash($uri)
--- a/src/Symfony/Component/HttpKernel/composer.json
+++ b/src/Symfony/Component/HttpKernel/composer.json
@ -22,6 +22,7 @@
        "symfony/http-foundation": "^4.1.1",
        "symfony/debug": "~3.4|~4.0",
        "symfony/polyfill-ctype": "~1.8",
+        "symfony/polyfill-php56": "~1.8",
        "psr/log": "~1.0"
    },
    "require-dev": {