[Security] Use hash_equals for constant-time string comparison

1 files changed, 9 insertions, 1 deletions

diff --git a/Core/Util/StringUtils.php b/Core/Util/StringUtils.php
index 5e13037..acf8e9e 100644
--- a/Core/Util/StringUtils.php
+++ b/Core/Util/StringUtils.php
@@ -27,6 +27,7 @@ class StringUtils
      * Compares two strings.
      *
      * This method implements a constant-time algorithm to compare strings.
+     * Regardless of the used implementation, it will leak length information.
      *
      * @param string $knownString The string of known length to compare against
      * @param string $userInput   The string that the user can control
@@ -35,6 +36,13 @@ class StringUtils
      */
     public static function equals($knownString, $userInput)
     {
+        $knownString = (string) $knownString;
+        $userInput = (string) $userInput;
+
+        if (function_exists('hash_equals')) {
+            return hash_equals($knownString, $userInput);
+        }
+
         $knownLen = strlen($knownString);
         $userLen = strlen($userInput);
 
@@ -45,7 +53,7 @@ class StringUtils
         $result = $knownLen - $userLen;
 
         // Note that we ALWAYS iterate over the user-supplied length
-        // This is to prevent leaking length information
+        // This is to mitigate leaking length information
         for ($i = 0; $i < $userLen; $i++) {
             $result |= (ord($knownString[$i]) ^ ord($userInput[$i]));
         }