Merge branch '2.4' into 2.5

* 2.4: (21 commits)
  [HttpKernel] fixed some unit tests for 2.4 (signature now uses SHA256 instead of MD5)
  [HttpKernel] simplified code
  [HttpKernel] fixed internal fragment handling
  fixing yaml indentation
  [WebProfiler] replaced the import/export feature from the web interface to a CLI tool
  Forced all fragment uris to be signed, even for ESI
  Add tests and more assertions
  [FrameworkBundle][Translator] Validate locales.
  [HttpFoundation] added some missing tests
  [HttpFoundation] Improve string values in test codes
  [Security] Add more tests for StringUtils::equals
  fix comment: not fourth but sixth argument
  fixing typo in a comment
  [FrameworkBundle] fixed CS
  [FrameworkBundle] PhpExtractor bugfix and improvements
  [Finder] Fix findertest readability
  [Filesystem] Add FTP stream wrapper context option to enable overwrite (override)
  fix parsing of Authorization header
  Test examples from Drupal SA-CORE-2014-003
  Fix potential DoS when parsing HOST
  ...

Conflicts:
	src/Symfony/Bundle/FrameworkBundle/Tests/Translation/TranslatorTest.php
	src/Symfony/Bundle/FrameworkBundle/Translation/Translator.php

2 files changed, 45 insertions, 11 deletions

diff --git a/Core/Tests/Util/StringUtilsTest.php b/Core/Tests/Util/StringUtilsTest.php
index 89da98d..e0366a5 100644
--- a/Core/Tests/Util/StringUtilsTest.php
+++ b/Core/Tests/Util/StringUtilsTest.php
@@ -13,11 +13,49 @@ namespace Symfony\Component\Security\Core\Tests\Util;
 
 use Symfony\Component\Security\Core\Util\StringUtils;
 
+/**
+ * Data from PHP.net's hash_equals tests
+ */
 class StringUtilsTest extends \PHPUnit_Framework_TestCase
 {
-    public function testEquals()
+    public function dataProviderTrue()
+    {
+        return array(
+            array('same', 'same'),
+            array('', ''),
+            array(123, 123),
+            array(null, ''),
+            array(null, null),
+        );
+    }
+
+    public function dataProviderFalse()
+    {
+        return array(
+            array('not1same', 'not2same'),
+            array('short', 'longer'),
+            array('longer', 'short'),
+            array('', 'notempty'),
+            array('notempty', ''),
+            array(123, 'NaN'),
+            array('NaN', 123),
+            array(null, 123),
+        );
+    }
+
+    /**
+     * @dataProvider dataProviderTrue
+     */
+    public function testEqualsTrue($known, $user)
+    {
+        $this->assertTrue(StringUtils::equals($known, $user));
+    }
+
+    /**
+     * @dataProvider dataProviderFalse
+     */
+    public function testEqualsFalse($known, $user)
     {
-        $this->assertTrue(StringUtils::equals('password', 'password'));
-        $this->assertFalse(StringUtils::equals('password', 'foo'));
+        $this->assertFalse(StringUtils::equals($known, $user));
     }
 }
diff --git a/Core/Util/StringUtils.php b/Core/Util/StringUtils.php
index d47bd4b..5e13037 100644
--- a/Core/Util/StringUtils.php
+++ b/Core/Util/StringUtils.php
@@ -35,23 +35,19 @@ class StringUtils
      */
     public static function equals($knownString, $userInput)
     {
-        // Prevent issues if string length is 0
-        $knownString .= chr(0);
-        $userInput .= chr(0);
-
         $knownLen = strlen($knownString);
         $userLen = strlen($userInput);
 
+        // Extend the known string to avoid uninitialized string offsets
+        $knownString .= $userInput;
+
         // Set the result to the difference between the lengths
         $result = $knownLen - $userLen;
 
         // Note that we ALWAYS iterate over the user-supplied length
         // This is to prevent leaking length information
         for ($i = 0; $i < $userLen; $i++) {
-            // Using % here is a trick to prevent notices
-            // It's safe, since if the lengths are different
-            // $result is already non-0
-            $result |= (ord($knownString[$i % $knownLen]) ^ ord($userInput[$i]));
+            $result |= (ord($knownString[$i]) ^ ord($userInput[$i]));
         }
 
         // They are only identical strings if $result is exactly 0...