[Security] Use hash_equals for constant-time string comparison

dunglas · dunglas · commit 74973e0a5370 · 2014-08-29T23:30:06.000+02:00
diff --git a/src/Symfony/Component/Security/Core/Util/StringUtils.php b/src/Symfony/Component/Security/Core/Util/StringUtils.php
@@ -15,6 +15,7 @@
  * String utility functions.
  *
  * @author Fabien Potencier <fabien@symfony.com>
+ * @author Kévin Dunglas <dunglas@gmail.com>
  */
 class StringUtils
 {
@@ -35,6 +36,11 @@ private function __construct() {}
      */
     public static function equals($knownString, $userInput)
     {
+        // Use hash_equals if applicable
+        if (function_exists('hash_equals') && strlen($knownString) === strlen($userInput)) {
+            return hash_equals($knownString, $userInput);
+        }
+
         // Prevent issues if string length is 0
         $knownString .= chr(0);
         $userInput .= chr(0);

Original file line number	Diff line number	Diff line change
`@@ -15,6 +15,7 @@`
`15`	`15`	`* String utility functions.`
`16`	`16`	`*`
`17`	`17`	`* @author Fabien Potencier <fabien@symfony.com>`
	`18`	`+ * @author Kévin Dunglas <dunglas@gmail.com>`
`18`	`19`	`*/`
`19`	`20`	`class StringUtils`
`20`	`21`	`{`
`@@ -35,6 +36,11 @@ private function __construct() {}`
`35`	`36`	`*/`
`36`	`37`	`public static function equals($knownString, $userInput)`
`37`	`38`	`{`
	`39`	`+ // Use hash_equals if applicable`
	`40`	`+ if (function_exists('hash_equals') && strlen($knownString) === strlen($userInput)) {`
	`41`	`+ return hash_equals($knownString, $userInput);`
	`42`	`+ }`
	`43`	`+`
`38`	`44`	`// Prevent issues if string length is 0`
`39`	`45`	`$knownString .= chr(0);`
`40`	`46`	`$userInput .= chr(0);`