diff options
Diffstat (limited to 'Core')
| -rw-r--r-- | Core/Tests/Util/StringUtilsTest.php | 44 | ||||
| -rw-r--r-- | Core/Util/StringUtils.php | 12 |
2 files changed, 45 insertions, 11 deletions
diff --git a/Core/Tests/Util/StringUtilsTest.php b/Core/Tests/Util/StringUtilsTest.php index 89da98d..e0366a5 100644 --- a/Core/Tests/Util/StringUtilsTest.php +++ b/Core/Tests/Util/StringUtilsTest.php @@ -13,11 +13,49 @@ namespace Symfony\Component\Security\Core\Tests\Util; use Symfony\Component\Security\Core\Util\StringUtils; +/** + * Data from PHP.net's hash_equals tests + */ class StringUtilsTest extends \PHPUnit_Framework_TestCase { - public function testEquals() + public function dataProviderTrue() + { + return array( + array('same', 'same'), + array('', ''), + array(123, 123), + array(null, ''), + array(null, null), + ); + } + + public function dataProviderFalse() + { + return array( + array('not1same', 'not2same'), + array('short', 'longer'), + array('longer', 'short'), + array('', 'notempty'), + array('notempty', ''), + array(123, 'NaN'), + array('NaN', 123), + array(null, 123), + ); + } + + /** + * @dataProvider dataProviderTrue + */ + public function testEqualsTrue($known, $user) + { + $this->assertTrue(StringUtils::equals($known, $user)); + } + + /** + * @dataProvider dataProviderFalse + */ + public function testEqualsFalse($known, $user) { - $this->assertTrue(StringUtils::equals('password', 'password')); - $this->assertFalse(StringUtils::equals('password', 'foo')); + $this->assertFalse(StringUtils::equals($known, $user)); } } diff --git a/Core/Util/StringUtils.php b/Core/Util/StringUtils.php index d47bd4b..5e13037 100644 --- a/Core/Util/StringUtils.php +++ b/Core/Util/StringUtils.php @@ -35,23 +35,19 @@ class StringUtils */ public static function equals($knownString, $userInput) { - // Prevent issues if string length is 0 - $knownString .= chr(0); - $userInput .= chr(0); - $knownLen = strlen($knownString); $userLen = strlen($userInput); + // Extend the known string to avoid uninitialized string offsets + $knownString .= $userInput; + // Set the result to the difference between the lengths $result = $knownLen - $userLen; // Note that we ALWAYS iterate over the user-supplied length // This is to prevent leaking length information for ($i = 0; $i < $userLen; $i++) { - // Using % here is a trick to prevent notices - // It's safe, since if the lengths are different - // $result is already non-0 - $result |= (ord($knownString[$i % $knownLen]) ^ ord($userInput[$i])); + $result |= (ord($knownString[$i]) ^ ord($userInput[$i])); } // They are only identical strings if $result is exactly 0... |