[5.6] Use hash_equals for verifying url signatures

[hmazter]

The PR updates the comparison of the URL signature to use the timing attack safe hash_equals function instead of a simple ===.

I don't know if this is strictly necessary for this use case. But since there exists a function for comparing hashes, I think it could/should be used.

Feel free to reject it if it is not needed.

[ludo237]

This change broke my test

ErrorException: hash_equals(): Expected user_string to be a string, null given

/app/vendor/laravel/framework/src/Illuminate/Routing/UrlGenerator.php:350
/app/vendor/laravel/framework/src/Illuminate/Support/Facades/Facade.php:221
/app/vendor/laravel/framework/src/Illuminate/Foundation/Providers/FoundationServiceProvider.php:57
/app/vendor/laravel/framework/src/Illuminate/Support/Traits/Macroable.php:106
/app/vendor/laravel/framework/src/Illuminate/Routing/Middleware/ValidateSignature.php:21
/app/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php:149
/app/vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php:53
/app/app/Http/Middleware/RedirectIfAuthenticated.php:28

Which works with 5.6.13

Basically if asignature parameter is not provided it breaks. You should change this line to

$request->query('signature', '') in order to throw an InvalidSignatureException instead of an ErrorException