Skip to content
Permalink
Browse files

Use mb_strlen instead of strlen.

This avoids potential bombs related to `mbstring.func_overload`.
The 8bit encoding does byte counting (which is what we want).

Refs #6139
  • Loading branch information...
markstory committed Mar 27, 2015
1 parent 48ad0b0 commit b5761c5c9918bd4070c9566654f7cdfe387dcbc0
Showing with 2 additions and 2 deletions.
  1. +2 −2 src/Utility/Security.php
@@ -248,8 +248,8 @@ protected static function _constantEquals($hmac, $compare)
if (function_exists('hash_equals')) {
return hash_equals($hmac, $compare);
}
$hashLength = strlen($hmac);
$compareLength = strlen($compare);
$hashLength = mb_strlen($hmac, '8bit');
$compareLength = mb_strlen($compare, '8bit');
if ($hashLength !== $compareLength) {
return false;
}

0 comments on commit b5761c5

Please sign in to comment.
You can’t perform that action at this time.