diff options
| author | Fabien Potencier <fabien.potencier@gmail.com> | 2014-09-03 10:42:07 +0200 |
|---|---|---|
| committer | Fabien Potencier <fabien.potencier@gmail.com> | 2014-09-03 10:42:07 +0200 |
| commit | ea2fdb74f55f823975150e0bf6da7c8bc0ccafc6 (patch) | |
| tree | 57b755f91fd88fbf7f462f82e085172bec289211 /Core/Util | |
| parent | cf4aa25c4d8e8d70f073bd690d67a999989eb05a (diff) | |
| parent | 329bf0c9ec47ce666b2c552ae6ee4cce4a7fd6dd (diff) | |
| download | symfony-security-ea2fdb74f55f823975150e0bf6da7c8bc0ccafc6.zip symfony-security-ea2fdb74f55f823975150e0bf6da7c8bc0ccafc6.tar.gz symfony-security-ea2fdb74f55f823975150e0bf6da7c8bc0ccafc6.tar.bz2 | |
Merge branch '2.3' into 2.4
* 2.3:
[HttpKernel] fixed internal fragment handling
fixing yaml indentation
[WebProfiler] replaced the import/export feature from the web interface to a CLI tool
Forced all fragment uris to be signed, even for ESI
Add tests and more assertions
[FrameworkBundle][Translator] Validate locales.
[HttpFoundation] added some missing tests
[HttpFoundation] Improve string values in test codes
fix comment: not fourth but sixth argument
fixing typo in a comment
[FrameworkBundle] fixed CS
[FrameworkBundle] PhpExtractor bugfix and improvements
[Finder] Fix findertest readability
[Filesystem] Add FTP stream wrapper context option to enable overwrite (override)
fix parsing of Authorization header
Test examples from Drupal SA-CORE-2014-003
Fix potential DoS when parsing HOST
Made optimization deprecating modulus operator
Conflicts:
src/Symfony/Bundle/FrameworkBundle/Resources/config/esi.xml
src/Symfony/Component/HttpFoundation/Request.php
src/Symfony/Component/HttpFoundation/Tests/RequestTest.php
src/Symfony/Component/HttpKernel/Fragment/EsiFragmentRenderer.php
Diffstat (limited to 'Core/Util')
| -rw-r--r-- | Core/Util/StringUtils.php | 12 |
1 files changed, 4 insertions, 8 deletions
diff --git a/Core/Util/StringUtils.php b/Core/Util/StringUtils.php index d47bd4b..5e13037 100644 --- a/Core/Util/StringUtils.php +++ b/Core/Util/StringUtils.php @@ -35,23 +35,19 @@ class StringUtils */ public static function equals($knownString, $userInput) { - // Prevent issues if string length is 0 - $knownString .= chr(0); - $userInput .= chr(0); - $knownLen = strlen($knownString); $userLen = strlen($userInput); + // Extend the known string to avoid uninitialized string offsets + $knownString .= $userInput; + // Set the result to the difference between the lengths $result = $knownLen - $userLen; // Note that we ALWAYS iterate over the user-supplied length // This is to prevent leaking length information for ($i = 0; $i < $userLen; $i++) { - // Using % here is a trick to prevent notices - // It's safe, since if the lengths are different - // $result is already non-0 - $result |= (ord($knownString[$i % $knownLen]) ^ ord($userInput[$i])); + $result |= (ord($knownString[$i]) ^ ord($userInput[$i])); } // They are only identical strings if $result is exactly 0... |