diff options
| author | Christian Flothmann <christian.flothmann@xabbuh.de> | 2015-11-10 16:51:36 +0100 |
|---|---|---|
| committer | Fabien Potencier <fabien.potencier@gmail.com> | 2015-11-23 11:02:49 +0100 |
| commit | f0ebcd061a1a7875de332d36de9c50a416885caa (patch) | |
| tree | ff736a56ee5f8b45d5add353c1da8cb02f7d1fd2 | |
| parent | 846a13ad9d7b2078d9dcc3db8a176a17a9659f11 (diff) | |
| download | symfony-security-f0ebcd061a1a7875de332d36de9c50a416885caa.zip symfony-security-f0ebcd061a1a7875de332d36de9c50a416885caa.tar.gz symfony-security-f0ebcd061a1a7875de332d36de9c50a416885caa.tar.bz2 | |
prevent timing attacks in digest auth listener
| -rw-r--r-- | Http/Firewall/DigestAuthenticationListener.php | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/Http/Firewall/DigestAuthenticationListener.php b/Http/Firewall/DigestAuthenticationListener.php index a88250b..5e1159f 100644 --- a/Http/Firewall/DigestAuthenticationListener.php +++ b/Http/Firewall/DigestAuthenticationListener.php @@ -13,6 +13,7 @@ namespace Symfony\Component\Security\Http\Firewall; use Symfony\Component\Security\Core\SecurityContextInterface; use Symfony\Component\Security\Core\User\UserProviderInterface; +use Symfony\Component\Security\Core\Util\StringUtils; use Symfony\Component\Security\Http\EntryPoint\DigestAuthenticationEntryPoint; use Psr\Log\LoggerInterface; use Symfony\Component\HttpKernel\Event\GetResponseEvent; @@ -99,7 +100,7 @@ class DigestAuthenticationListener implements ListenerInterface return; } - if ($serverDigestMd5 !== $digestAuth->getResponse()) { + if (!StringUtils::equals($serverDigestMd5, $digestAuth->getResponse())) { if (null !== $this->logger) { $this->logger->debug(sprintf('Expected response: "%s" but received: "%s"; is AuthenticationDao returning clear text passwords?', $serverDigestMd5, $digestAuth->getResponse())); } |