Fixed security floor in hash_equals #84
Conversation
|
I propose a new patch release is tagged asap after this PR. |
|
I then propose we remove this extra public method we have here. |
| } | ||
|
|
||
| return $result === 0; | ||
| return hash_equals($known, $input); |
There was a problem hiding this comment.
I think at this point we can even remove the timingSafeEquals method
|
this will also drop compatibility with 5.5 -- not that Im against it :) let me know once its finalized and we can release a new major version |
Only if we do a minor version bump. I'd rather we patched this issue in a patch release, then removed the method. |
You mean minor? |
|
I mean major, as |
We don't need to drop php 5.5 support. That dependency I added makes that function available on php 5.5. |
If you're following semver, only minor releases are needed during 0.x to make BC breaking changes. I see no reason for you to need to bump from 0.6 to 1.0? |
|
Oh, wait, I missread what version we were on, lol. |
|
Oh, didnt realize you added the symfony polyfill -- will merge and tag! |
Fixed security floor in hash_equals
Fixed security floor. Always better to rely on a third party secure implementation rather than maintaining a separate one that just recently was noticed to be broken.