Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Some docs cleanup

  • Loading branch information...
commit a088a2604b1e52517d0657403cac8a14d7b41c26 1 parent 7bc0095
Anthony Ferrara authored
8 lib/PasswordLib/Password/AbstractPassword.php
View
@@ -55,10 +55,18 @@ public static function getPrefix() {
/**
* Perform a constant time comparison between two hash strings
+ *
+ * This is done to prevent remote timing attacks from giving an attacker
+ * information about the hash remotely. This provides a constant runtime
+ * equality check between two strings of the same length. This should be used
+ * any time sensitive information is compared, as === can leak information
+ * about the position of the difference to an attacker.
*
* @param string $hash1 The first hash to compare
* @param string $hash2 The second hash to compare
*
+ * @see http://rdist.root.org/2010/07/19/exploiting-remote-timing-attacks/
+ * @see http://rdist.root.org/2010/01/07/timing-independent-array-comparison/
* @return boolean True if the strings are identical
*/
protected function compareStrings($hash1, $hash2) {
5 lib/PasswordLib/PasswordLib.php
View
@@ -154,9 +154,8 @@ public function shuffleArray(array $array) {
* @return string The shuffled string
*/
public function shuffleString($string) {
- $factory = new RandomFactory;
- $array = str_split($string);
- $result = $this->shuffleArray($array);
+ $array = str_split($string);
+ $result = $this->shuffleArray($array);
return implode('', $result);
}
Please sign in to comment.
Something went wrong with that request. Please try again.