Provisional OAuth, OpenID token check timing attack patches

extlib/OAuth.php

@@ -54,6 +54,24 @@ class OAuthSignatureMethod {/*{{{*/
   public function check_signature(&$request, $consumer, $token, $signature) {
     $built = $this->build_signature($request, $consumer, $token);
     return $built == $signature;
+
+    // Check for zero length, although unlikely here
+    if (strlen($built) == 0 || strlen($signature) == 0) {
+      return false;
+    }
+
+    if (strlen($built) != strlen($signature)) {
+      return false;
+    }
+
+    $result = 0;
+
+    // Avoid a timing leak with a (hopefully) time insensitive compare
+    for ($i = 0; $i < strlen($signature); $i++) {
+      $result |= ord($built{$i}) ^ ord($signature{$i});
+    }
+
+    return $result == 0;
   }
 }/*}}}*/