ENGCOM-2183: Use constant time string comparison in FormKey validator #16518

Stanislav Idolov · web-flow · commit d5f5c2e07f55 · 2018-07-18T22:10:44.000+03:00
diff --git a/lib/internal/Magento/Framework/Data/Form/FormKey/Validator.php b/lib/internal/Magento/Framework/Data/Form/FormKey/Validator.php
@@ -5,6 +5,8 @@
  */
 namespace Magento\Framework\Data\Form\FormKey;
 
+use Magento\Framework\Encryption\Helper\Security;
+
 /**
  * @api
  */
@@ -32,9 +34,7 @@ public function __construct(\Magento\Framework\Data\Form\FormKey $formKey)
     public function validate(\Magento\Framework\App\RequestInterface $request)
     {
         $formKey = $request->getParam('form_key', null);
-        if (!$formKey || $formKey !== $this->_formKey->getFormKey()) {
-            return false;
-        }
-        return true;
+        
+        return $formKey && Security::compareStrings($formKey, $this->_formKey->getFormKey());
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -5,6 +5,8 @@`
`5`	`5`	`*/`
`6`	`6`	`namespace Magento\Framework\Data\Form\FormKey;`
`7`	`7`
	`8`	`+use Magento\Framework\Encryption\Helper\Security;`
	`9`	`+`
`8`	`10`	`/**`
`9`	`11`	`* @api`
`10`	`12`	`*/`
`@@ -32,9 +34,7 @@ public function __construct(\Magento\Framework\Data\Form\FormKey $formKey)`
`32`	`34`	`public function validate(\Magento\Framework\App\RequestInterface $request)`
`33`	`35`	`{`
`34`	`36`	`$formKey = $request->getParam('form_key', null);`
`35`		`- if (!$formKey \|\| $formKey !== $this->_formKey->getFormKey()) {`
`36`		`- return false;`
`37`		`- }`
`38`		`- return true;`
	`37`	`+`
	`38`	`+ return $formKey && Security::compareStrings($formKey, $this->_formKey->getFormKey());`
`39`	`39`	`}`
`40`	`40`	`}`