Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use timing safe string comparison in CSRF filter #3126

Closed
wants to merge 1 commit into from
Closed

Use timing safe string comparison in CSRF filter #3126

wants to merge 1 commit into from

Conversation

barryvdh
Copy link
Contributor

Use a timing safe comparison, as provided by the Symfony Security Component.

As proposed by by @lasselehtinen and @ircmaxell in ba0cf2a

(I'm not a security expert, so they more knowledge about this)

@barryvdh barryvdh mentioned this pull request Nov 11, 2014
Merged
@crynobone
Copy link
Member

I somehow would prefer if we convert this to a class.

Route::filter('csrf', 'Illuminate\Foundation\Filters\VerifyCsrfToken');

This way if we need to improve the functionality, developer just need to run composer update.

@barryvdh
Copy link
Contributor Author

Yes I guess that is why Taylor move it to the core in L5 (see the related PR above), I think it's probably too late to change that in 4.2?

barryvdh referenced this pull request Nov 11, 2014
@taylorotwell
Check type of token as well.
ba0cf2a
@crynobone
Copy link
Member

I think it's probably too late to change that in 4.2?

IMHO it easier to tell developer to replace the closure with above versus you need to add the import, change line x with y, but that just me.

@barryvdh
Copy link
Contributor Author

No I agree, that would be a better option.

GrahamCampbell
GrahamCampbell reviewed Nov 11, 2014
View reviewed changes
app/filters.php
@@ -1,4 +1,5 @@
<?php
use Symfony\Component\Security\Core\Util\StringUtils;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

<?php

use Symfony\Component\Security\Core\Util\StringUtils;

New line before code please.

@barryvdh
Copy link
Contributor Author

@GrahamCampbell before I fix your CS issues, what do you think about moving the filter to the framework as suggested?

@GrahamCampbell
Copy link
Member

It's already in the framework as of 5.0. I don't see the urgent need to put it in 4.2 as well.

@crynobone
Copy link
Member

  1. It be easier if we want to backport the security fixes to 4.1 and even 4.0
  2. If later we want to include headers + cookie usage of csrf token for js as what in 5.0, we just update the framework code.

@barryvdh
Use timing safe string comparison in CSRF filter
1b6744e 
Use a timing safe comparison, as provided by the Symfony Security Component.
@barryvdh barryvdh deleted the patch-3 branch June 1, 2015 08:26
Markr10 added a commit to Wybren-Jongstra/Stender that referenced this pull request Jun 10, 2015
@Markr10
Security bug fix - Use timing safe string comparison in CSRF filter
9681e4b 
See for more information: laravel/laravel#3126
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@barryvdh @crynobone @GrahamCampbell @taylorotwell