10 files changed, 38 insertions, 9 deletions

diff --git a/Core/Authentication/AuthenticationProviderManager.php b/Core/Authentication/AuthenticationProviderManager.php
index 7ca46c0..b0414f0 100644
--- a/Core/Authentication/AuthenticationProviderManager.php
+++ b/Core/Authentication/AuthenticationProviderManager.php
@@ -39,6 +39,8 @@ class AuthenticationProviderManager implements AuthenticationManagerInterface
      *
      * @param AuthenticationProviderInterface[] $providers        An array of AuthenticationProviderInterface instances
      * @param Boolean                           $eraseCredentials Whether to erase credentials after authentication or not
+     *
+     * @throws \InvalidArgumentException
      */
     public function __construct(array $providers, $eraseCredentials = true)
     {
diff --git a/Core/Authentication/Provider/UserAuthenticationProvider.php b/Core/Authentication/Provider/UserAuthenticationProvider.php
index 32d7971..ed8f499 100644
--- a/Core/Authentication/Provider/UserAuthenticationProvider.php
+++ b/Core/Authentication/Provider/UserAuthenticationProvider.php
@@ -37,6 +37,8 @@ abstract class UserAuthenticationProvider implements AuthenticationProviderInter
      * @param UserCheckerInterface $userChecker                An UserCheckerInterface interface
      * @param string               $providerKey                A provider key
      * @param Boolean              $hideUserNotFoundExceptions Whether to hide user not found exception or not
+     *
+     * @throws \InvalidArgumentException
      */
     public function __construct(UserCheckerInterface $userChecker, $providerKey, $hideUserNotFoundExceptions = true)
     {
diff --git a/Core/Authentication/RememberMe/PersistentToken.php b/Core/Authentication/RememberMe/PersistentToken.php
index 88b0413..f3f6858 100644
--- a/Core/Authentication/RememberMe/PersistentToken.php
+++ b/Core/Authentication/RememberMe/PersistentToken.php
@@ -32,6 +32,8 @@ final class PersistentToken implements PersistentTokenInterface
      * @param string    $series
      * @param string    $tokenValue
      * @param \DateTime $lastUsed
+     *
+     * @throws \InvalidArgumentException
      */
     public function __construct($class, $username, $series, $tokenValue, \DateTime $lastUsed)
     {
diff --git a/Core/Authentication/Token/AbstractToken.php b/Core/Authentication/Token/AbstractToken.php
index 68cbb79..f21aa76 100644
--- a/Core/Authentication/Token/AbstractToken.php
+++ b/Core/Authentication/Token/AbstractToken.php
@@ -34,6 +34,8 @@ abstract class AbstractToken implements TokenInterface
      * Constructor.
      *
      * @param RoleInterface[] $roles An array of roles
+     *
+     * @throws \InvalidArgumentException
      */
     public function __construct(array $roles = array())
     {
diff --git a/Core/Authentication/Token/RememberMeToken.php b/Core/Authentication/Token/RememberMeToken.php
index de50e5c..6f3d821 100644
--- a/Core/Authentication/Token/RememberMeToken.php
+++ b/Core/Authentication/Token/RememberMeToken.php
@@ -29,6 +29,8 @@ class RememberMeToken extends AbstractToken
      * @param UserInterface $user
      * @param string        $providerKey
      * @param string        $key
+     *
+     * @throws \InvalidArgumentException
      */
     public function __construct(UserInterface $user, $providerKey, $key)
     {
diff --git a/Core/Authorization/AccessDecisionManager.php b/Core/Authorization/AccessDecisionManager.php
index a8bb5cf..6028c42 100644
--- a/Core/Authorization/AccessDecisionManager.php
+++ b/Core/Authorization/AccessDecisionManager.php
@@ -34,6 +34,8 @@ class AccessDecisionManager implements AccessDecisionManagerInterface
      * @param string           $strategy                           The vote strategy
      * @param Boolean          $allowIfAllAbstainDecisions         Whether to grant access if all voters abstained or not
      * @param Boolean          $allowIfEqualGrantedDeniedDecisions Whether to grant access if result are equals
+     *
+     * @throws \InvalidArgumentException
      */
     public function __construct(array $voters, $strategy = 'affirmative', $allowIfAllAbstainDecisions = false, $allowIfEqualGrantedDeniedDecisions = true)
     {
diff --git a/Core/Encoder/BasePasswordEncoder.php b/Core/Encoder/BasePasswordEncoder.php
index 1ef134b..c26c9ce 100644
--- a/Core/Encoder/BasePasswordEncoder.php
+++ b/Core/Encoder/BasePasswordEncoder.php
@@ -52,6 +52,8 @@ abstract class BasePasswordEncoder implements PasswordEncoderInterface
      * @param string $salt     the salt to be used
      *
      * @return string a merged password and salt
+     *
+     * @throws \InvalidArgumentException
      */
     protected function mergePasswordAndSalt($password, $salt)
     {
diff --git a/Core/Encoder/EncoderFactory.php b/Core/Encoder/EncoderFactory.php
index 9429441..8bad61f 100644
--- a/Core/Encoder/EncoderFactory.php
+++ b/Core/Encoder/EncoderFactory.php
@@ -51,6 +51,8 @@ class EncoderFactory implements EncoderFactoryInterface
      * @param array $config
      *
      * @return PasswordEncoderInterface
+     *
+     * @throws \InvalidArgumentException
      */
     private function createEncoder(array $config)
     {
diff --git a/Core/User/InMemoryUserProvider.php b/Core/User/InMemoryUserProvider.php
index eae2083..bd74804 100644
--- a/Core/User/InMemoryUserProvider.php
+++ b/Core/User/InMemoryUserProvider.php
@@ -50,6 +50,8 @@ class InMemoryUserProvider implements UserProviderInterface
      * Adds a new User to the provider.
      *
      * @param UserInterface $user A UserInterface instance
+     *
+     * @throws \LogicException
      */
     public function createUser(UserInterface $user)
     {
diff --git a/Core/Util/StringUtils.php b/Core/Util/StringUtils.php
index d21efd3..2e8925d 100644
--- a/Core/Util/StringUtils.php
+++ b/Core/Util/StringUtils.php
@@ -28,22 +28,33 @@ class StringUtils
      *
      * This method implements a constant-time algorithm to compare strings.
      *
-     * @param string $str1 The first string
-     * @param string $str2 The second string
+     * @param string $knownString The string of known length to compare against
+     * @param string $userInput   The string that the user can control
      *
      * @return Boolean true if the two strings are the same, false otherwise
      */
-    public static function equals($str1, $str2)
+    public static function equals($knownString, $userInput)
     {
-        if (strlen($str1) !== $c = strlen($str2)) {
-            return false;
-        }
+        // Prevent issues if string length is 0
+        $knownString .= chr(0);
+        $userInput .= chr(0);
+
+        $knownLen = strlen($knownString);
+        $userLen = strlen($userInput);
+
+        // Set the result to the difference between the lengths
+        $result = $knownLen - $userLen;
 
-        $result = 0;
-        for ($i = 0; $i < $c; $i++) {
-            $result |= ord($str1[$i]) ^ ord($str2[$i]);
+        // Note that we ALWAYS iterate over the user-supplied length
+        // This is to prevent leaking length information
+        for ($i = 0; $i < $userLen; $i++) {
+            // Using % here is a trick to prevent notices
+            // It's safe, since if the lengths are different
+            // $result is already non-0
+            $result |= (ord($knownString[$i % $knownLen]) ^ ord($userInput[$i]));
         }
 
+        // They are only identical strings if $result is exactly 0...
         return 0 === $result;
     }
 }