Use constant time comparison in UriSigner

stof · stof · commit b49245d95842 · 2019-05-24T12:09:27.000+02:00
diff --git a/UriSigner.php b/UriSigner.php
@@ -79,7 +79,7 @@ public function check($uri)
         $hash = $params[$this->parameter];
         unset($params[$this->parameter]);
 
-        return $this->computeHash($this->buildUrl($url, $params)) === $hash;
+        return hash_equals($this->computeHash($this->buildUrl($url, $params)), $hash);
     }
 
     private function computeHash($uri)
diff --git a/composer.json b/composer.json
@@ -21,6 +21,7 @@
         "symfony/http-foundation": "~3.4.12|~4.0.12|^4.1.1",
         "symfony/debug": "^3.3.3|~4.0",
         "symfony/polyfill-ctype": "~1.8",
+        "symfony/polyfill-php56": "~1.8",
         "psr/log": "~1.0"
     },
     "require-dev": {

Original file line number	Diff line number	Diff line change
`@@ -79,7 +79,7 @@ public function check($uri)`
`79`	`79`	`$hash = $params[$this->parameter];`
`80`	`80`	`unset($params[$this->parameter]);`
`81`	`81`
`82`		`- return $this->computeHash($this->buildUrl($url, $params)) === $hash;`
	`82`	`+ return hash_equals($this->computeHash($this->buildUrl($url, $params)), $hash);`
`83`	`83`	`}`
`84`	`84`
`85`	`85`	`private function computeHash($uri)`