Fix request authentication safe hash comparison

sstok · sstok · commit d74cceb6a37b · 2016-05-29T10:27:43.000+02:00
diff --git a/src/AppBundle/Issues/GitHubRequestHandler.php b/src/AppBundle/Issues/GitHubRequestHandler.php
@@ -85,6 +85,6 @@ private function authenticate($hash, $key, $data)
             throw new \RuntimeException('"hash" extension is needed to check request signature.');
         }
 
-        return $hash !== 'sha1='.hash_hmac('sha1', $data, $key);
+        return hash_equals($hash, 'sha1='.hash_hmac('sha1', $data, $key));
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -85,6 +85,6 @@ private function authenticate($hash, $key, $data)`
`85`	`85`	`throw new \RuntimeException('"hash" extension is needed to check request signature.');`
`86`	`86`	`}`
`87`	`87`
`88`		`- return $hash !== 'sha1='.hash_hmac('sha1', $data, $key);`
	`88`	`+ return hash_equals($hash, 'sha1='.hash_hmac('sha1', $data, $key));`
`89`	`89`	`}`
`90`	`90`	`}`