diff options
| author | Anthony Ferrara <ircmaxell@gmail.com> | 2015-03-23 11:50:22 -0400 |
|---|---|---|
| committer | Fabien Potencier <fabien.potencier@gmail.com> | 2015-03-25 10:28:01 +0100 |
| commit | 2c5ee0dff834ea8d1cb51870ba2f8ba04b9c8e9f (patch) | |
| tree | c842e9516bfc3ad4fb56d292b0aabd3fba2e95e6 /Core/Util | |
| parent | 36bb08f5baa5b7d684413b2c6ca8daa0b77066d6 (diff) | |
| download | symfony-security-2c5ee0dff834ea8d1cb51870ba2f8ba04b9c8e9f.zip symfony-security-2c5ee0dff834ea8d1cb51870ba2f8ba04b9c8e9f.tar.gz symfony-security-2c5ee0dff834ea8d1cb51870ba2f8ba04b9c8e9f.tar.bz2 | |
Prevent modifying secrets as much as possible
Diffstat (limited to 'Core/Util')
| -rw-r--r-- | Core/Util/StringUtils.php | 22 |
1 files changed, 13 insertions, 9 deletions
diff --git a/Core/Util/StringUtils.php b/Core/Util/StringUtils.php index 861e94c..95c8513 100644 --- a/Core/Util/StringUtils.php +++ b/Core/Util/StringUtils.php @@ -38,25 +38,29 @@ class StringUtils */ public static function equals($knownString, $userInput) { - $knownString = (string) $knownString; - $userInput = (string) $userInput; - if (function_exists('hash_equals')) { return hash_equals($knownString, $userInput); } + // Avoid making unnecessary duplications of secret data + if (!is_string($knownString)) { + $knownString = (string) $knownString; + } + + if (!is_string($userInput)) { + $userInput = (string) $userInput; + } + $knownLen = self::safeStrlen($knownString); $userLen = self::safeStrlen($userInput); - // Extend the known string to avoid uninitialized string offsets - $knownString .= $userInput; - // Set the result to the difference between the lengths $result = $knownLen - $userLen; - // Note that we ALWAYS iterate over the user-supplied length - // This is to mitigate leaking length information - for ($i = 0; $i < $userLen; $i++) { + // Always iterate over the minimum length possible. + $iterationLen = min($knownLen, $userLen); + + for ($i = 0; $i < $iterationLen; $i++) { $result |= (ord($knownString[$i]) ^ ord($userInput[$i])); } |