diff options
author | Fabien Potencier <fabien.potencier@gmail.com> | 2014-09-17 11:45:32 +0200 |
---|---|---|
committer | Fabien Potencier <fabien.potencier@gmail.com> | 2014-09-17 11:45:32 +0200 |
commit | 9aefee358bddb7baf5ae57607f4af2e721397f58 (patch) | |
tree | b9a59f2cd2b1aaa167c3ea8637c5dd2557b048f1 /Core/Util/StringUtils.php | |
parent | 0c51a70c04279663ac6e016efeb31557b28b0c44 (diff) | |
parent | 4368c75cbeb587fede098da5a6c5c705fe19f238 (diff) | |
download | symfony-security-9aefee358bddb7baf5ae57607f4af2e721397f58.zip symfony-security-9aefee358bddb7baf5ae57607f4af2e721397f58.tar.gz symfony-security-9aefee358bddb7baf5ae57607f4af2e721397f58.tar.bz2 |
Merge branch '2.3' into 2.4
* 2.3: (35 commits)
[Form] Fix PHPDoc for builder setData methods The underlying data variable is typed as mixed whereas the methods paramers where typed as array.
fixed CS
[Intl] Improved bundle reader implementations
[Console] guarded against invalid aliases
switch before_script to before_install and script to install
fixed typo
[HttpFoundation] Request - URI - comment improvements
[Security] Added more tests
remove `service` parameter type from XSD
[Intl] Added exception handler to command line scripts
[Intl] Fixed a few bugs in TextBundleWriter
[Intl] Updated icu.ini up to ICU 53
[Intl] Removed non-working $fallback argument from ArrayAccessibleResourceBundle
Use separated function to resolve command and related arguments
[SwiftmailerBridge] Bump allowed versions of swiftmailer
[FrameworkBundle] Remove invalid markup
[Intl] Added "internal" tag to all classes under Symfony\Component\Intl\ResourceBundle
Remove routes for removed WebProfiler actions
[Security] Fix usage of unexistent method in DoctrineAclCache.
backport more error information from 2.6 to 2.3
...
Conflicts:
.travis.yml
src/Symfony/Component/DependencyInjection/Loader/YamlFileLoader.php
src/Symfony/Component/DependencyInjection/Tests/Loader/XmlFileLoaderTest.php
src/Symfony/Component/HttpKernel/Kernel.php
src/Symfony/Component/Process/PhpExecutableFinder.php
Diffstat (limited to 'Core/Util/StringUtils.php')
-rw-r--r-- | Core/Util/StringUtils.php | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/Core/Util/StringUtils.php b/Core/Util/StringUtils.php index 5e13037..acf8e9e 100644 --- a/Core/Util/StringUtils.php +++ b/Core/Util/StringUtils.php @@ -27,6 +27,7 @@ class StringUtils * Compares two strings. * * This method implements a constant-time algorithm to compare strings. + * Regardless of the used implementation, it will leak length information. * * @param string $knownString The string of known length to compare against * @param string $userInput The string that the user can control @@ -35,6 +36,13 @@ class StringUtils */ public static function equals($knownString, $userInput) { + $knownString = (string) $knownString; + $userInput = (string) $userInput; + + if (function_exists('hash_equals')) { + return hash_equals($knownString, $userInput); + } + $knownLen = strlen($knownString); $userLen = strlen($userInput); @@ -45,7 +53,7 @@ class StringUtils $result = $knownLen - $userLen; // Note that we ALWAYS iterate over the user-supplied length - // This is to prevent leaking length information + // This is to mitigate leaking length information for ($i = 0; $i < $userLen; $i++) { $result |= (ord($knownString[$i]) ^ ord($userInput[$i])); } |