Use constant time string comparison in FormKey validator

p0pr0ck5 · gelanivishal · commit 6e1beda53891 · 2018-07-04T02:00:15.000Z
CSRF tokens should be considered sensitive strings. While the
risk of a malicious actor attempting gleam the form key via a
timing attack is very low, we should still follow best practices
in verifying this token.
diff --git a/lib/internal/Magento/Framework/Data/Form/FormKey/Validator.php b/lib/internal/Magento/Framework/Data/Form/FormKey/Validator.php
@@ -5,6 +5,8 @@
  */
 namespace Magento\Framework\Data\Form\FormKey;
 
+use Magento\Framework\Encryption\Helper\Security;
+
 /**
  * @api
  */
@@ -32,9 +34,11 @@ public function __construct(\Magento\Framework\Data\Form\FormKey $formKey)
     public function validate(\Magento\Framework\App\RequestInterface $request)
     {
         $formKey = $request->getParam('form_key', null);
-        if (!$formKey || $formKey !== $this->_formKey->getFormKey()) {
+
+        if (!$formKey) {
             return false;
         }
-        return true;
+
+        return Security::compareStrings($formKey, $this->_formKey->getFormKey());
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -5,6 +5,8 @@`
`5`	`5`	`*/`
`6`	`6`	`namespace Magento\Framework\Data\Form\FormKey;`
`7`	`7`
	`8`	`+use Magento\Framework\Encryption\Helper\Security;`
	`9`	`+`
`8`	`10`	`/**`
`9`	`11`	`* @api`
`10`	`12`	`*/`
`@@ -32,9 +34,11 @@ public function __construct(\Magento\Framework\Data\Form\FormKey $formKey)`
`32`	`34`	`public function validate(\Magento\Framework\App\RequestInterface $request)`
`33`	`35`	`{`
`34`	`36`	`$formKey = $request->getParam('form_key', null);`
`35`		`- if (!$formKey \|\| $formKey !== $this->_formKey->getFormKey()) {`
	`37`	`+`
	`38`	`+ if (!$formKey) {`
`36`	`39`	`return false;`
`37`	`40`	`}`
`38`		`- return true;`
	`41`	`+`
	`42`	`+ return Security::compareStrings($formKey, $this->_formKey->getFormKey());`
`39`	`43`	`}`
`40`	`44`	`}`