diff options
| -rw-r--r-- | Core/Encoder/BasePasswordEncoder.php | 4 | ||||
| -rw-r--r-- | Core/Tests/Util/StringUtilsTest.php | 2 | ||||
| -rw-r--r-- | Core/Util/StringUtils.php | 39 | ||||
| -rw-r--r-- | Core/composer.json | 7 | ||||
| -rw-r--r-- | Csrf/CsrfTokenManager.php | 3 | ||||
| -rw-r--r-- | Csrf/composer.json | 5 | ||||
| -rw-r--r-- | Http/RememberMe/TokenBasedRememberMeServices.php | 3 | ||||
| -rw-r--r-- | Http/composer.json | 5 | ||||
| -rw-r--r-- | composer.json | 7 |
9 files changed, 29 insertions, 46 deletions
diff --git a/Core/Encoder/BasePasswordEncoder.php b/Core/Encoder/BasePasswordEncoder.php index 1c9ada1..12126d8 100644 --- a/Core/Encoder/BasePasswordEncoder.php +++ b/Core/Encoder/BasePasswordEncoder.php @@ -11,8 +11,6 @@ namespace Symfony\Component\Security\Core\Encoder; -use Symfony\Component\Security\Core\Util\StringUtils; - /** * BasePasswordEncoder is the base class for all password encoders. * @@ -83,7 +81,7 @@ abstract class BasePasswordEncoder implements PasswordEncoderInterface */ protected function comparePasswords($password1, $password2) { - return StringUtils::equals($password1, $password2); + return hash_equals($password1, $password2); } /** diff --git a/Core/Tests/Util/StringUtilsTest.php b/Core/Tests/Util/StringUtilsTest.php index faeaf25..78d9b05 100644 --- a/Core/Tests/Util/StringUtilsTest.php +++ b/Core/Tests/Util/StringUtilsTest.php @@ -15,6 +15,8 @@ use Symfony\Component\Security\Core\Util\StringUtils; /** * Data from PHP.net's hash_equals tests. + * + * @group legacy */ class StringUtilsTest extends \PHPUnit_Framework_TestCase { diff --git a/Core/Util/StringUtils.php b/Core/Util/StringUtils.php index 343585c..5900812 100644 --- a/Core/Util/StringUtils.php +++ b/Core/Util/StringUtils.php @@ -11,10 +11,16 @@ namespace Symfony\Component\Security\Core\Util; +@trigger_error('The '.__NAMESPACE__.'\\StringUtils class is deprecated since version 2.8 and will be removed in 3.0. Use hash_equals() instead.', E_USER_DEPRECATED); + +use Symfony\Component\Polyfill\Util\Binary; + /** * String utility functions. * * @author Fabien Potencier <fabien@symfony.com> + * + * @deprecated since 2.8, to be removed in 3.0. */ class StringUtils { @@ -47,25 +53,7 @@ class StringUtils $userInput = (string) $userInput; } - if (function_exists('hash_equals')) { - return hash_equals($knownString, $userInput); - } - - $knownLen = self::safeStrlen($knownString); - $userLen = self::safeStrlen($userInput); - - if ($userLen !== $knownLen) { - return false; - } - - $result = 0; - - for ($i = 0; $i < $knownLen; ++$i) { - $result |= (ord($knownString[$i]) ^ ord($userInput[$i])); - } - - // They are only identical strings if $result is exactly 0... - return 0 === $result; + return hash_equals($knownString, $userInput); } /** @@ -77,17 +65,6 @@ class StringUtils */ public static function safeStrlen($string) { - // Premature optimization - // Since this cannot be changed at runtime, we can cache it - static $funcExists = null; - if (null === $funcExists) { - $funcExists = function_exists('mb_strlen'); - } - - if ($funcExists) { - return mb_strlen($string, '8bit'); - } - - return strlen($string); + return Binary::strlen($string); } } diff --git a/Core/composer.json b/Core/composer.json index bc14d0a..28230f0 100644 --- a/Core/composer.json +++ b/Core/composer.json @@ -17,15 +17,18 @@ ], "require": { "php": ">=5.5.9", - "paragonie/random_compat": "~1.0" + "symfony/polyfill-php55": "~1.0", + "symfony/polyfill-php56": "~1.0", + "symfony/polyfill-php70": "~1.0", + "symfony/polyfill-util": "~1.0" }, "require-dev": { "symfony/event-dispatcher": "~2.8|~3.0", "symfony/expression-language": "~2.8|~3.0", "symfony/http-foundation": "~2.8|~3.0", + "symfony/ldap": "~2.8|~3.0", "symfony/translation": "~2.8|~3.0", "symfony/validator": "~2.8|~3.0", - "symfony/ldap": "~2.8|~3.0", "psr/log": "~1.0" }, "suggest": { diff --git a/Csrf/CsrfTokenManager.php b/Csrf/CsrfTokenManager.php index e129502..cdda543 100644 --- a/Csrf/CsrfTokenManager.php +++ b/Csrf/CsrfTokenManager.php @@ -11,7 +11,6 @@ namespace Symfony\Component\Security\Csrf; -use Symfony\Component\Security\Core\Util\StringUtils; use Symfony\Component\Security\Csrf\TokenGenerator\UriSafeTokenGenerator; use Symfony\Component\Security\Csrf\TokenGenerator\TokenGeneratorInterface; use Symfony\Component\Security\Csrf\TokenStorage\NativeSessionTokenStorage; @@ -92,6 +91,6 @@ class CsrfTokenManager implements CsrfTokenManagerInterface return false; } - return StringUtils::equals($this->storage->getToken($token->getId()), $token->getValue()); + return hash_equals($this->storage->getToken($token->getId()), $token->getValue()); } } diff --git a/Csrf/composer.json b/Csrf/composer.json index 7366b02..376db29 100644 --- a/Csrf/composer.json +++ b/Csrf/composer.json @@ -17,8 +17,9 @@ ], "require": { "php": ">=5.5.9", - "symfony/security-core": "~2.8|~3.0", - "paragonie/random_compat": "~1.0" + "symfony/polyfill-php56": "~1.0", + "symfony/polyfill-php70": "~1.0", + "symfony/security-core": "~2.8|~3.0" }, "require-dev": { "symfony/http-foundation": "~2.8|~3.0" diff --git a/Http/RememberMe/TokenBasedRememberMeServices.php b/Http/RememberMe/TokenBasedRememberMeServices.php index f6107ec..a443702 100644 --- a/Http/RememberMe/TokenBasedRememberMeServices.php +++ b/Http/RememberMe/TokenBasedRememberMeServices.php @@ -17,7 +17,6 @@ use Symfony\Component\HttpFoundation\Response; use Symfony\Component\Security\Core\Authentication\Token\TokenInterface; use Symfony\Component\Security\Core\Exception\AuthenticationException; use Symfony\Component\Security\Core\User\UserInterface; -use Symfony\Component\Security\Core\Util\StringUtils; /** * Concrete implementation of the RememberMeServicesInterface providing @@ -54,7 +53,7 @@ class TokenBasedRememberMeServices extends AbstractRememberMeServices throw new \RuntimeException(sprintf('The UserProviderInterface implementation must return an instance of UserInterface, but returned "%s".', get_class($user))); } - if (true !== StringUtils::equals($this->generateCookieHash($class, $username, $expires, $user->getPassword()), $hash)) { + if (true !== hash_equals($this->generateCookieHash($class, $username, $expires, $user->getPassword()), $hash)) { throw new AuthenticationException('The cookie\'s hash is invalid.'); } diff --git a/Http/composer.json b/Http/composer.json index b7fe686..3fad2bb 100644 --- a/Http/composer.json +++ b/Http/composer.json @@ -21,8 +21,9 @@ "symfony/event-dispatcher": "~2.8|~3.0", "symfony/http-foundation": "~2.8|~3.0", "symfony/http-kernel": "~2.8|~3.0", - "symfony/property-access": "~2.8|~3.0", - "paragonie/random_compat": "~1.0" + "symfony/polyfill-php56": "~1.0", + "symfony/polyfill-php70": "~1.0", + "symfony/property-access": "~2.8|~3.0" }, "require-dev": { "symfony/routing": "~2.8|~3.0", diff --git a/composer.json b/composer.json index 3f317fe..a6039e3 100644 --- a/composer.json +++ b/composer.json @@ -20,8 +20,11 @@ "symfony/event-dispatcher": "~2.8|~3.0", "symfony/http-foundation": "~2.8|~3.0", "symfony/http-kernel": "~2.8|~3.0", + "symfony/polyfill-php55": "~1.0", + "symfony/polyfill-php56": "~1.0", + "symfony/polyfill-php70": "~1.0", + "symfony/polyfill-util": "~1.0", "symfony/property-access": "~2.8|~3.0", - "paragonie/random_compat": "~1.0" }, "replace": { "symfony/security-core": "self.version", @@ -31,7 +34,7 @@ }, "require-dev": { "symfony/finder": "~2.8|~3.0", - "symfony/intl": "~2.8|~3.0", + "symfony/polyfill-intl-icu": "~1.0", "symfony/routing": "~2.8|~3.0", "symfony/translation": "~2.8|~3.0", "symfony/validator": "~2.8|~3.0", |