-
Notifications
You must be signed in to change notification settings - Fork 133
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixed security floor in hash_equals #84
Conversation
I propose a new patch release is tagged asap after this PR. |
I then propose we remove this extra public method we have here. |
} | ||
|
||
return $result === 0; | ||
return hash_equals($known, $input); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think at this point we can even remove the timingSafeEquals
method
this will also drop compatibility with 5.5 -- not that Im against it :) let me know once its finalized and we can release a new major version |
Only if we do a minor version bump. I'd rather we patched this issue in a patch release, then removed the method. |
You mean minor? |
I mean major, as |
We don't need to drop php 5.5 support. That dependency I added makes that function available on php 5.5. |
If you're following semver, only minor releases are needed during 0.x to make BC breaking changes. I see no reason for you to need to bump from 0.6 to 1.0? |
Oh, wait, I missread what version we were on, lol. |
Oh, didnt realize you added the symfony polyfill -- will merge and tag! |
Fixed security floor in hash_equals
Fixed security floor. Always better to rely on a third party secure implementation rather than maintaining a separate one that just recently was noticed to be broken.