diff options
| author | Fabien Potencier <fabien.potencier@gmail.com> | 2014-09-03 11:00:14 +0200 |
|---|---|---|
| committer | Fabien Potencier <fabien.potencier@gmail.com> | 2014-09-03 11:00:14 +0200 |
| commit | 12cf9164db2fbbcf3b918cc43810414c10f8230d (patch) | |
| tree | c74775a4ff907bb5c4b5ec744a3e5ee9298bac62 /Core/Util/StringUtils.php | |
| parent | 12a6ccbca008f06b7b6a95b2e0ec02abc03e4253 (diff) | |
| parent | ea2fdb74f55f823975150e0bf6da7c8bc0ccafc6 (diff) | |
| download | symfony-security-12cf9164db2fbbcf3b918cc43810414c10f8230d.zip symfony-security-12cf9164db2fbbcf3b918cc43810414c10f8230d.tar.gz symfony-security-12cf9164db2fbbcf3b918cc43810414c10f8230d.tar.bz2 | |
Merge branch '2.4' into 2.5
* 2.4: (21 commits)
[HttpKernel] fixed some unit tests for 2.4 (signature now uses SHA256 instead of MD5)
[HttpKernel] simplified code
[HttpKernel] fixed internal fragment handling
fixing yaml indentation
[WebProfiler] replaced the import/export feature from the web interface to a CLI tool
Forced all fragment uris to be signed, even for ESI
Add tests and more assertions
[FrameworkBundle][Translator] Validate locales.
[HttpFoundation] added some missing tests
[HttpFoundation] Improve string values in test codes
[Security] Add more tests for StringUtils::equals
fix comment: not fourth but sixth argument
fixing typo in a comment
[FrameworkBundle] fixed CS
[FrameworkBundle] PhpExtractor bugfix and improvements
[Finder] Fix findertest readability
[Filesystem] Add FTP stream wrapper context option to enable overwrite (override)
fix parsing of Authorization header
Test examples from Drupal SA-CORE-2014-003
Fix potential DoS when parsing HOST
...
Conflicts:
src/Symfony/Bundle/FrameworkBundle/Tests/Translation/TranslatorTest.php
src/Symfony/Bundle/FrameworkBundle/Translation/Translator.php
Diffstat (limited to 'Core/Util/StringUtils.php')
| -rw-r--r-- | Core/Util/StringUtils.php | 12 |
1 files changed, 4 insertions, 8 deletions
diff --git a/Core/Util/StringUtils.php b/Core/Util/StringUtils.php index d47bd4b..5e13037 100644 --- a/Core/Util/StringUtils.php +++ b/Core/Util/StringUtils.php @@ -35,23 +35,19 @@ class StringUtils */ public static function equals($knownString, $userInput) { - // Prevent issues if string length is 0 - $knownString .= chr(0); - $userInput .= chr(0); - $knownLen = strlen($knownString); $userLen = strlen($userInput); + // Extend the known string to avoid uninitialized string offsets + $knownString .= $userInput; + // Set the result to the difference between the lengths $result = $knownLen - $userLen; // Note that we ALWAYS iterate over the user-supplied length // This is to prevent leaking length information for ($i = 0; $i < $userLen; $i++) { - // Using % here is a trick to prevent notices - // It's safe, since if the lengths are different - // $result is already non-0 - $result |= (ord($knownString[$i % $knownLen]) ^ ord($userInput[$i])); + $result |= (ord($knownString[$i]) ^ ord($userInput[$i])); } // They are only identical strings if $result is exactly 0... |