minor #11574 [Security] Made optimization on constant-time algorithm removing modulus operator (yosmanyga)

This PR was merged into the 2.3 branch.

Discussion
----------

[Security] Made optimization on constant-time algorithm removing modulus operator

| Q             | A
| ------------- | ---
| Bug fix?      | no
| New feature?  | no
| BC breaks?    | no
| Deprecations? | no
| Tests pass?   | yes
| Fixed tickets | -
| License       | MIT
| Doc PR        | -

This fix improves the constant-time algorithm used to compare strings, as it removes the `%` operator inside the loop.

Commits
-------

000bd0d Made optimization deprecating modulus operator

1 files changed, 4 insertions, 8 deletions

diff --git a/Core/Util/StringUtils.php b/Core/Util/StringUtils.php
index d47bd4b..eaeed84 100644
--- a/Core/Util/StringUtils.php
+++ b/Core/Util/StringUtils.php
@@ -35,23 +35,19 @@ class StringUtils
      */
     public static function equals($knownString, $userInput)
     {
-        // Prevent issues if string length is 0
-        $knownString .= chr(0);
-        $userInput .= chr(0);
-
         $knownLen = strlen($knownString);
         $userLen = strlen($userInput);
 
+        // Extend know string to avoid uninitialized string offsets
+        $knownString .= $userInput;
+
         // Set the result to the difference between the lengths
         $result = $knownLen - $userLen;
 
         // Note that we ALWAYS iterate over the user-supplied length
         // This is to prevent leaking length information
         for ($i = 0; $i < $userLen; $i++) {
-            // Using % here is a trick to prevent notices
-            // It's safe, since if the lengths are different
-            // $result is already non-0
-            $result |= (ord($knownString[$i % $knownLen]) ^ ord($userInput[$i]));
+            $result |= (ord($knownString[$i]) ^ ord($userInput[$i]));
         }
 
         // They are only identical strings if $result is exactly 0...