security #40 Fix request authentication safe hash comparison (sstok)

weaverryan · weaverryan · commit dd3c437915a7 · 2016-08-20T20:47:06.000-04:00
This PR was merged into the master branch. Discussion ---------- Fix request authentication safe hash comparison |Q |A | |--- |---| |Bug Fix? |yes| |New Feature? |no | |BC Breaks? |no | |Deprecations?|no | |Tests Pass? |yes| |Fixed Tickets| | |License |MIT| Commits ------- d74cceb Fix request authentication safe hash comparison
diff --git a/src/AppBundle/Issues/GitHubRequestHandler.php b/src/AppBundle/Issues/GitHubRequestHandler.php
@@ -90,6 +90,6 @@ private function authenticate($hash, $key, $data)
             throw new \RuntimeException('"hash" extension is needed to check request signature.');
         }
 
-        return $hash !== 'sha1='.hash_hmac('sha1', $data, $key);
+        return hash_equals($hash, 'sha1='.hash_hmac('sha1', $data, $key));
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -90,6 +90,6 @@ private function authenticate($hash, $key, $data)`
`90`	`90`	`throw new \RuntimeException('"hash" extension is needed to check request signature.');`
`91`	`91`	`}`
`92`	`92`
`93`		`- return $hash !== 'sha1='.hash_hmac('sha1', $data, $key);`
	`93`	`+ return hash_equals($hash, 'sha1='.hash_hmac('sha1', $data, $key));`
`94`	`94`	`}`
`95`	`95`	`}`