prevent timing attacks in digest auth listener

xabbuh · fabpot · commit 819aa54fe489 · 2015-11-23T11:02:49.000+01:00
diff --git a/src/Symfony/Component/Form/Extension/Csrf/CsrfProvider/DefaultCsrfProvider.php b/src/Symfony/Component/Form/Extension/Csrf/CsrfProvider/DefaultCsrfProvider.php
@@ -66,7 +66,7 @@ public function isCsrfTokenValid($intention, $token)
             return StringUtils::equals($expectedToken, $token);
         }
 
-        return $token === $this->generateCsrfToken($intention);
+        return $token === $expectedToken;
     }
 
     /**
diff --git a/src/Symfony/Component/Security/Http/Firewall/DigestAuthenticationListener.php b/src/Symfony/Component/Security/Http/Firewall/DigestAuthenticationListener.php
@@ -13,6 +13,7 @@
 
 use Symfony\Component\Security\Core\SecurityContextInterface;
 use Symfony\Component\Security\Core\User\UserProviderInterface;
+use Symfony\Component\Security\Core\Util\StringUtils;
 use Symfony\Component\Security\Http\EntryPoint\DigestAuthenticationEntryPoint;
 use Psr\Log\LoggerInterface;
 use Symfony\Component\HttpKernel\Event\GetResponseEvent;
@@ -99,7 +100,7 @@ public function handle(GetResponseEvent $event)
             return;
         }
 
-        if ($serverDigestMd5 !== $digestAuth->getResponse()) {
+        if (!StringUtils::equals($serverDigestMd5, $digestAuth->getResponse())) {
             if (null !== $this->logger) {
                 $this->logger->debug(sprintf('Expected response: "%s" but received: "%s"; is AuthenticationDao returning clear text passwords?', $serverDigestMd5, $digestAuth->getResponse()));
             }

Original file line number	Diff line number	Diff line change
`@@ -66,7 +66,7 @@ public function isCsrfTokenValid($intention, $token)`
`66`	`66`	`return StringUtils::equals($expectedToken, $token);`
`67`	`67`	`}`
`68`	`68`
`69`		`- return $token === $this->generateCsrfToken($intention);`
	`69`	`+ return $token === $expectedToken;`
`70`	`70`	`}`
`71`	`71`
`72`	`72`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -13,6 +13,7 @@`
`13`	`13`
`14`	`14`	`use Symfony\Component\Security\Core\SecurityContextInterface;`
`15`	`15`	`use Symfony\Component\Security\Core\User\UserProviderInterface;`
	`16`	`+use Symfony\Component\Security\Core\Util\StringUtils;`
`16`	`17`	`use Symfony\Component\Security\Http\EntryPoint\DigestAuthenticationEntryPoint;`
`17`	`18`	`use Psr\Log\LoggerInterface;`
`18`	`19`	`use Symfony\Component\HttpKernel\Event\GetResponseEvent;`
`@@ -99,7 +100,7 @@ public function handle(GetResponseEvent $event)`
`99`	`100`	`return;`
`100`	`101`	`}`
`101`	`102`
`102`		`- if ($serverDigestMd5 !== $digestAuth->getResponse()) {`
	`103`	`+ if (!StringUtils::equals($serverDigestMd5, $digestAuth->getResponse())) {`
`103`	`104`	`if (null !== $this->logger) {`
`104`	`105`	`$this->logger->debug(sprintf('Expected response: "%s" but received: "%s"; is AuthenticationDao returning clear text passwords?', $serverDigestMd5, $digestAuth->getResponse()));`
`105`	`106`	`}`