From e1b88333f915b6615e1caa6a7ea56fcb39db4f18 Mon Sep 17 00:00:00 2001
From: crynobone <crynobone@gmail.com>
Date: Tue, 11 Nov 2014 22:33:13 +0800
Subject: [PATCH] Use timing safe string comparison in CSRF filter

Signed-off-by: crynobone <crynobone@gmail.com>
---
 src/filters.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/filters.php b/src/filters.php
index d7c61268..de0cde40 100644
--- a/src/filters.php
+++ b/src/filters.php
@@ -8,6 +8,7 @@
 use Illuminate\Support\Facades\Route;
 use Illuminate\Support\Facades\Session;
 use Orchestra\Support\Facades\App;
+use Symfony\Component\Security\Core\Util\StringUtils;
 
 /*
 |--------------------------------------------------------------------------
@@ -58,7 +59,7 @@
     // differently or deleted by the user. To avoid un-expected behaviour
     // the same functionality is duplicated.
 
-    if (Session::token() !== Input::get('_token')) {
+    if (! StringUtils::equals(Session::token(), Input::get('_token'))) {
         throw new TokenMismatchException;
     }
 });