Merge branch '2.3' into 2.6

fabpot · fabpot · commit 94465e02e58f · 2015-03-27T11:19:51.000+01:00
* 2.3:
  CS: fixes
  Translator component has default domain for null implemented no need to have default translation domain logic in 3 different places
  [travis] Kill tests when a new commit has been pushed
  fixed CS
  Change behavior to mirror hash_equals() returning early if there is a length mismatch
  CS fixing
  Prevent modifying secrets as much as possible
  Update StringUtils.php
  Whitespace
  Update StringUtils.php
  CS: general fixes
  [SecurityBundle] removed a duplicated service definition and simplified others.

Conflicts:
	src/Symfony/Bundle/FrameworkBundle/Resources/views/Form/choice_widget_collapsed.html.php
	src/Symfony/Bundle/SecurityBundle/Resources/config/security_rememberme.xml
	src/Symfony/Component/Console/Tests/Helper/LegacyTableHelperTest.php
	src/Symfony/Component/DependencyInjection/Tests/Fixtures/php/services11.php
diff --git a/Core/Util/StringUtils.php b/Core/Util/StringUtils.php
@@ -38,29 +38,56 @@ private function __construct()
      */
     public static function equals($knownString, $userInput)
     {
-        $knownString = (string) $knownString;
-        $userInput = (string) $userInput;
+        // Avoid making unnecessary duplications of secret data
+        if (!is_string($knownString)) {
+            $knownString = (string) $knownString;
+        }
+
+        if (!is_string($userInput)) {
+            $userInput = (string) $userInput;
+        }
 
         if (function_exists('hash_equals')) {
             return hash_equals($knownString, $userInput);
         }
 
-        $knownLen = strlen($knownString);
-        $userLen = strlen($userInput);
+        $knownLen = self::safeStrlen($knownString);
+        $userLen = self::safeStrlen($userInput);
 
-        // Extend the known string to avoid uninitialized string offsets
-        $knownString .= $userInput;
+        if ($userLen !== $knownLen) {
+            return false;
+        }
 
-        // Set the result to the difference between the lengths
-        $result = $knownLen - $userLen;
+        $result = 0;
 
-        // Note that we ALWAYS iterate over the user-supplied length
-        // This is to mitigate leaking length information
-        for ($i = 0; $i < $userLen; $i++) {
+        for ($i = 0; $i < $knownLen; $i++) {
             $result |= (ord($knownString[$i]) ^ ord($userInput[$i]));
         }
 
         // They are only identical strings if $result is exactly 0...
         return 0 === $result;
     }
+
+    /**
+     * Returns the number of bytes in a string.
+     *
+     * @param string $string The string whose length we wish to obtain
+     *
+     * @return int
+     */
+    public static function safeStrlen($string)
+    {
+        // Premature optimization
+        // Since this cannot be changed at runtime, we can cache it
+        static $funcExists = null;
+        if (null === $funcExists) {
+            $funcExists = function_exists('mb_strlen');
+        }
+
+        if ($funcExists) {
+            return mb_strlen($string, '8bit');
+        }
+
+        return strlen($string);
+    }
 }
