-
-
Notifications
You must be signed in to change notification settings - Fork 3.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use hash_equals for constant-time string comparison #4206
Conversation
Similar issue, alternative fix, we received a while back (less good but full PHP version support) |
@wilsonge I don't know if this better to use HMAC or |
👍 for using native |
Can you please provide test instructions? |
As this requires php 5.6 which is higher than our minimum requirement how can this be merged? Setting to Needs Review so the CMS maintainers can make a decision This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/4206. |
Have you even read what the pull request does? It's wrapped inside of a |
The PR looks good, but please update the PR to latest staging so that Travis is run and can give us a proper result. |
I don't see an issue with this. We've done similar things in the past where we use native PHP functions conditionally and fallback to something else if it isn't available. As requested previously though, can this PR be sync'd with the staging branch so it can be properly tested by both users and the CI suite? Also, there is one codestyle issue to fix; the opening bracket for the if statement should be on a new line. |
Use the
hash_equals
function (introduced in PHP 5.6) for timing attack safe string comparison when available.Add in the DocBlock that length will leak (see php/php-src#792).