Use timing safe string comparison in CSRF filter

[barryvdh]

Use a timing safe comparison, as provided by the Symfony Security Component.

As proposed by by @lasselehtinen and @ircmaxell in ba0cf2a

(I'm not a security expert, so they more knowledge about this)

[crynobone]

I somehow would prefer if we convert this to a class.

Route::filter('csrf', 'Illuminate\Foundation\Filters\VerifyCsrfToken');

This way if we need to improve the functionality, developer just need to run composer update.

[barryvdh]

Yes I guess that is why Taylor move it to the core in L5 (see the related PR above), I think it's probably too late to change that in 4.2?

[crynobone]

I think it's probably too late to change that in 4.2?

IMHO it easier to tell developer to replace the closure with above versus you need to add the import, change line x with y, but that just me.

[barryvdh]

No I agree, that would be a better option.

[GrahamCampbell]

<?php

use Symfony\Component\Security\Core\Util\StringUtils;

New line before code please.

[barryvdh]

@GrahamCampbell before I fix your CS issues, what do you think about moving the filter to the framework as suggested?

[GrahamCampbell]

It's already in the framework as of 5.0. I don't see the urgent need to put it in 4.2 as well.

[crynobone]

1. It be easier if we want to backport the security fixes to 4.1 and even 4.0
2. If later we want to include headers + cookie usage of csrf token for js as what in 5.0, we just update the framework code.