fix potential timing attack issue
This commit is contained in:
Christian Flothmann
Fabien Potencier
parent
3dc2244187
commit
f1fd7686c5
|
|
@ -21,6 +21,7 @@ use Symfony\Component\Security\Core\Authentication\RememberMe\PersistentToken;
|
|||
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
|
||||
use Symfony\Component\Security\Core\Util\SecureRandomInterface;
|
||||
use Psr\Log\LoggerInterface;
|
||||
use Symfony\Component\Security\Core\Util\StringUtils;
|
||||
|
||||
/**
|
||||
* Concrete implementation of the RememberMeServicesInterface which needs
|
||||
|
|
@ -90,7 +91,7 @@ class PersistentTokenBasedRememberMeServices extends AbstractRememberMeServices
|
|||
list($series, $tokenValue) = $cookieParts;
|
||||
$persistentToken = $this->tokenProvider->loadTokenBySeries($series);
|
||||
|
||||
if ($persistentToken->getTokenValue() !== $tokenValue) {
|
||||
if (!StringUtils::equals($persistentToken->getTokenValue(), $tokenValue)) {
|
||||
throw new CookieTheftException('This token was already used. The account is possibly compromised.');
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -17,6 +17,7 @@ use Symfony\Component\HttpFoundation\Response;
|
|||
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
|
||||
use Symfony\Component\Security\Core\Exception\AuthenticationException;
|
||||
use Symfony\Component\Security\Core\User\UserInterface;
|
||||
use Symfony\Component\Security\Core\Util\StringUtils;
|
||||
|
||||
/**
|
||||
* Concrete implementation of the RememberMeServicesInterface providing
|
||||
|
|
@ -53,7 +54,7 @@ class TokenBasedRememberMeServices extends AbstractRememberMeServices
|
|||
throw new \RuntimeException(sprintf('The UserProviderInterface implementation must return an instance of UserInterface, but returned "%s".', get_class($user)));
|
||||
}
|
||||
|
||||
if (true !== $this->compareHashes($hash, $this->generateCookieHash($class, $username, $expires, $user->getPassword()))) {
|
||||
if (!StringUtils::equals($this->generateCookieHash($class, $username, $expires, $user->getPassword()), $hash)) {
|
||||
throw new AuthenticationException('The cookie\'s hash is invalid.');
|
||||
}
|
||||
|
||||
|
|
@ -64,31 +65,6 @@ class TokenBasedRememberMeServices extends AbstractRememberMeServices
|
|||
return $user;
|
||||
}
|
||||
|
||||
/**
|
||||
* Compares two hashes using a constant-time algorithm to avoid (remote)
|
||||
* timing attacks.
|
||||
*
|
||||
* This is the same implementation as used in the BasePasswordEncoder.
|
||||
*
|
||||
* @param string $hash1 The first hash
|
||||
* @param string $hash2 The second hash
|
||||
*
|
||||
* @return bool true if the two hashes are the same, false otherwise
|
||||
*/
|
||||
private function compareHashes($hash1, $hash2)
|
||||
{
|
||||
if (strlen($hash1) !== $c = strlen($hash2)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
$result = 0;
|
||||
for ($i = 0; $i < $c; ++$i) {
|
||||
$result |= ord($hash1[$i]) ^ ord($hash2[$i]);
|
||||
}
|
||||
|
||||
return 0 === $result;
|
||||
}
|
||||
|
||||
/**
|
||||
* {@inheritdoc}
|
||||
*/
|
||||
|
|
|
|||
Reference in New Issue