mitigate CSRF timing attack vulnerability

Author: xabbuh

Extension/Csrf/CsrfProvider/DefaultCsrfProvider.php

@@ -11,6 +11,8 @@
 
 namespace Symfony\Component\Form\Extension\Csrf\CsrfProvider;
 
+use Symfony\Component\Security\Core\Util\StringUtils;
+
 /**
  * Default implementation of CsrfProviderInterface.
  *
@@ -54,6 +56,16 @@ public function generateCsrfToken($intention)
      */
     public function isCsrfTokenValid($intention, $token)
     {
+        $expectedToken = $this->generateCsrfToken($intention);
+
+        if (function_exists('hash_equals')) {
+            return hash_equals($expectedToken, $token);
+        }
+
+        if (class_exists('Symfony\Component\Security\Core\Util\StringUtils')) {
+            return StringUtils::equals($expectedToken, $token);
+        }
+
         return $token === $this->generateCsrfToken($intention);
     }