Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Description
The PHP jwt library by Malcolm Fell version <= 1.0.2 is vulnerable to a timing attack on hash comparison in the symmetric encryption component resulting in crafting a valid signature for arbitrary content.
Details
The verification of the HMAC hash in the verify() function in Symmetric.php is vulnerable to a timing attack. No timing safe equal function, like e.g. hash_equals() (PHP >= 5.6.0 and PHP 7), is used.
This allows an attacker to craft a valid signature for an arbitrary content.
Recommendation
It is recommended to use a timing safe equal function for comparison. In PHP >= 5.6.0 and PHP 7, the hash_equals() function has been implemented.
For unsupported versions, the following example function might be used (taken from here - also recommended for further details of timing attacks on equals comparison):