Use hash_equals for constant-time string comparison

[dunglas]

Use the hash_equals function (introduced in PHP 5.6) for timing attack safe string comparison when available.
Add in the DocBlock that length will leak (see php/php-src#792).

[wilsonge]

#3832

Similar issue, alternative fix, we received a while back (less good but full PHP version support)

[dunglas]

@wilsonge I don't know if this better to use HMAC or hash_equals for passwords but, if this method is part of the Joomla API both patch can be merged. It will benefit at least to plugins using it.

[sarciszewski]

👍 for using native hash_equals() if it exists.

[RCheesley]

Can you please provide test instructions?

This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/4206.

[brianteeman]

As this requires php 5.6 which is higher than our minimum requirement how can this be merged?

Setting to Needs Review so the CMS maintainers can make a decision

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/4206.}

[sarciszewski]

As this requires php 5.6 which is higher than our minimum requirement how can this be merged?

Have you even read what the pull request does? It's wrapped inside of a if (function_exists('hash_equals')) block...

[Hackwar]

The PR looks good, but please update the PR to latest staging so that Travis is run and can give us a proper result.

[mbabker]

I don't see an issue with this. We've done similar things in the past where we use native PHP functions conditionally and fallback to something else if it isn't available. As requested previously though, can this PR be sync'd with the staging branch so it can be properly tested by both users and the CI suite? Also, there is one codestyle issue to fix; the opening bracket for the if statement should be on a new line.

[zero-24]

This PR: #7754 fixes the codestyle issue and replaces this here. Thanks @dunglas !