[Security] changed the way passwords are compared to avoid timing attacks

author: Fabien Potencier <fabien.potencier@gmail.com> 2010-10-21 07:33:55 +0200
committer: Fabien Potencier <fabien.potencier@gmail.com> 2010-10-21 07:36:55 +0200
commit: 53627ddd47ff4d68aab31b8944cb9b818c1189f0 (patch)
tree: d2b963bee701074b75065d3803fdc4a60c46c080 /Encoder/PlaintextPasswordEncoder.php
parent: d323d6d0c4d48a2463fbd582c11cc9a495bcc1e0 (diff)
download: symfony-security-53627ddd47ff4d68aab31b8944cb9b818c1189f0.zip
symfony-security-53627ddd47ff4d68aab31b8944cb9b818c1189f0.tar.gz
symfony-security-53627ddd47ff4d68aab31b8944cb9b818c1189f0.tar.bz2
1 files changed, 2 insertions, 2 deletions
diff --git a/Encoder/PlaintextPasswordEncoder.php b/Encoder/PlaintextPasswordEncoder.php
index 256a4eb..ffbccc8 100644
--- a/Encoder/PlaintextPasswordEncoder.php
+++ b/Encoder/PlaintextPasswordEncoder.php
@@ -41,9 +41,9 @@ class PlaintextPasswordEncoder extends BasePasswordEncoder
         $pass2 = $this->mergePasswordAndSalt($raw, $salt);
 
         if (!$this->ignorePasswordCase) {
-            return $encoded === $pass2;
+            return $this->comparePasswords($encoded, $pass2);
         } else {
-            return strtolower($encoded) === strtolower($pass2);
+            return $this->comparePasswords(strtolower($encoded), strtolower($pass2));
         }
     }
 }
author	Fabien Potencier <fabien.potencier@gmail.com>	2010-10-21 07:33:55 +0200
committer	Fabien Potencier <fabien.potencier@gmail.com>	2010-10-21 07:36:55 +0200
commit	53627ddd47ff4d68aab31b8944cb9b818c1189f0 (patch)
tree	d2b963bee701074b75065d3803fdc4a60c46c080 /Encoder/PlaintextPasswordEncoder.php
parent	d323d6d0c4d48a2463fbd582c11cc9a495bcc1e0 (diff)
download	symfony-security-53627ddd47ff4d68aab31b8944cb9b818c1189f0.zip symfony-security-53627ddd47ff4d68aab31b8944cb9b818c1189f0.tar.gz symfony-security-53627ddd47ff4d68aab31b8944cb9b818c1189f0.tar.bz2