Use timing attack safe string comparison

cakephp · Aug 25, 2017 · bab2dc2 · bab2dc2
1 parent 91274dd
commit bab2dc2
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/src/Auth/DigestAuthenticate.php b/src/Auth/DigestAuthenticate.php
@@ -121,7 +121,7 @@ public function getUser(ServerRequest $request)
         unset($user[$field]);
 
         $hash = $this->generateResponseHash($digest, $password, $request->getEnv('ORIGINAL_REQUEST_METHOD'));
-        if ($digest['response'] === $hash) {
+        if (hash_equals($hash, $digest['response'])) {
             return $user;
         }