diff options
| author | Christian Flothmann <christian.flothmann@xabbuh.de> | 2015-11-10 16:18:07 +0100 |
|---|---|---|
| committer | Fabien Potencier <fabien.potencier@gmail.com> | 2015-11-23 11:02:49 +0100 |
| commit | 846a13ad9d7b2078d9dcc3db8a176a17a9659f11 (patch) | |
| tree | 3a432ec4427bb1e5f7e28c2810e9bca3cce71456 /Http/RememberMe/PersistentTokenBasedRememberMeServices.php | |
| parent | 1dabcc78193413d90a6a1eeaaf50764b67ac61af (diff) | |
| download | symfony-security-846a13ad9d7b2078d9dcc3db8a176a17a9659f11.zip symfony-security-846a13ad9d7b2078d9dcc3db8a176a17a9659f11.tar.gz symfony-security-846a13ad9d7b2078d9dcc3db8a176a17a9659f11.tar.bz2 | |
fix potential timing attack issue
Diffstat (limited to 'Http/RememberMe/PersistentTokenBasedRememberMeServices.php')
| -rw-r--r-- | Http/RememberMe/PersistentTokenBasedRememberMeServices.php | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/Http/RememberMe/PersistentTokenBasedRememberMeServices.php b/Http/RememberMe/PersistentTokenBasedRememberMeServices.php index f800668..0fffbfe 100644 --- a/Http/RememberMe/PersistentTokenBasedRememberMeServices.php +++ b/Http/RememberMe/PersistentTokenBasedRememberMeServices.php @@ -21,6 +21,7 @@ use Symfony\Component\Security\Core\Authentication\RememberMe\PersistentToken; use Symfony\Component\Security\Core\Authentication\Token\TokenInterface; use Symfony\Component\Security\Core\Util\SecureRandomInterface; use Psr\Log\LoggerInterface; +use Symfony\Component\Security\Core\Util\StringUtils; /** * Concrete implementation of the RememberMeServicesInterface which needs @@ -90,7 +91,7 @@ class PersistentTokenBasedRememberMeServices extends AbstractRememberMeServices list($series, $tokenValue) = $cookieParts; $persistentToken = $this->tokenProvider->loadTokenBySeries($series); - if ($persistentToken->getTokenValue() !== $tokenValue) { + if (!StringUtils::equals($persistentToken->getTokenValue(), $tokenValue)) { throw new CookieTheftException('This token was already used. The account is possibly compromised.'); } |