summaryrefslogtreecommitdiffstats
path: root/Core/Util/StringUtils.php
diff options
context:
space:
mode:
authorFabien Potencier <fabien.potencier@gmail.com>2014-09-17 11:45:32 +0200
committerFabien Potencier <fabien.potencier@gmail.com>2014-09-17 11:45:32 +0200
commit9aefee358bddb7baf5ae57607f4af2e721397f58 (patch)
treeb9a59f2cd2b1aaa167c3ea8637c5dd2557b048f1 /Core/Util/StringUtils.php
parent0c51a70c04279663ac6e016efeb31557b28b0c44 (diff)
parent4368c75cbeb587fede098da5a6c5c705fe19f238 (diff)
downloadsymfony-security-9aefee358bddb7baf5ae57607f4af2e721397f58.zip
symfony-security-9aefee358bddb7baf5ae57607f4af2e721397f58.tar.gz
symfony-security-9aefee358bddb7baf5ae57607f4af2e721397f58.tar.bz2
Merge branch '2.3' into 2.4
* 2.3: (35 commits) [Form] Fix PHPDoc for builder setData methods The underlying data variable is typed as mixed whereas the methods paramers where typed as array. fixed CS [Intl] Improved bundle reader implementations [Console] guarded against invalid aliases switch before_script to before_install and script to install fixed typo [HttpFoundation] Request - URI - comment improvements [Security] Added more tests remove `service` parameter type from XSD [Intl] Added exception handler to command line scripts [Intl] Fixed a few bugs in TextBundleWriter [Intl] Updated icu.ini up to ICU 53 [Intl] Removed non-working $fallback argument from ArrayAccessibleResourceBundle Use separated function to resolve command and related arguments [SwiftmailerBridge] Bump allowed versions of swiftmailer [FrameworkBundle] Remove invalid markup [Intl] Added "internal" tag to all classes under Symfony\Component\Intl\ResourceBundle Remove routes for removed WebProfiler actions [Security] Fix usage of unexistent method in DoctrineAclCache. backport more error information from 2.6 to 2.3 ... Conflicts: .travis.yml src/Symfony/Component/DependencyInjection/Loader/YamlFileLoader.php src/Symfony/Component/DependencyInjection/Tests/Loader/XmlFileLoaderTest.php src/Symfony/Component/HttpKernel/Kernel.php src/Symfony/Component/Process/PhpExecutableFinder.php
Diffstat (limited to 'Core/Util/StringUtils.php')
-rw-r--r--Core/Util/StringUtils.php10
1 files changed, 9 insertions, 1 deletions
diff --git a/Core/Util/StringUtils.php b/Core/Util/StringUtils.php
index 5e13037..acf8e9e 100644
--- a/Core/Util/StringUtils.php
+++ b/Core/Util/StringUtils.php
@@ -27,6 +27,7 @@ class StringUtils
* Compares two strings.
*
* This method implements a constant-time algorithm to compare strings.
+ * Regardless of the used implementation, it will leak length information.
*
* @param string $knownString The string of known length to compare against
* @param string $userInput The string that the user can control
@@ -35,6 +36,13 @@ class StringUtils
*/
public static function equals($knownString, $userInput)
{
+ $knownString = (string) $knownString;
+ $userInput = (string) $userInput;
+
+ if (function_exists('hash_equals')) {
+ return hash_equals($knownString, $userInput);
+ }
+
$knownLen = strlen($knownString);
$userLen = strlen($userInput);
@@ -45,7 +53,7 @@ class StringUtils
$result = $knownLen - $userLen;
// Note that we ALWAYS iterate over the user-supplied length
- // This is to prevent leaking length information
+ // This is to mitigate leaking length information
for ($i = 0; $i < $userLen; $i++) {
$result |= (ord($knownString[$i]) ^ ord($userInput[$i]));
}