[HttpKernel] Use constant time comparison in UriSigner

stof · nicolas-grekas · commit 9a50fc572202 · 2019-11-11T13:20:20.000+01:00
diff --git a/src/Symfony/Component/HttpKernel/UriSigner.php b/src/Symfony/Component/HttpKernel/UriSigner.php
@@ -75,7 +75,7 @@ public function check($uri)
         $hash = urlencode($params['_hash']);
         unset($params['_hash']);
 
-        return $this->computeHash($this->buildUrl($url, $params)) === $hash;
+        return hash_equals($this->computeHash($this->buildUrl($url, $params)), $hash);
     }
 
     private function computeHash($uri)
diff --git a/src/Symfony/Component/HttpKernel/composer.json b/src/Symfony/Component/HttpKernel/composer.json
@@ -21,6 +21,7 @@
         "symfony/http-foundation": "~2.7.36|~2.8.29|~3.1.6",
         "symfony/debug": "^2.6.2",
         "symfony/polyfill-ctype": "~1.8",
+        "symfony/polyfill-php56": "~1.8",
         "psr/log": "~1.0"
     },
     "require-dev": {

Original file line number	Diff line number	Diff line change
`@@ -75,7 +75,7 @@ public function check($uri)`
`75`	`75`	`$hash = urlencode($params['_hash']);`
`76`	`76`	`unset($params['_hash']);`
`77`	`77`
`78`		`- return $this->computeHash($this->buildUrl($url, $params)) === $hash;`
	`78`	`+ return hash_equals($this->computeHash($this->buildUrl($url, $params)), $hash);`
`79`	`79`	`}`
`80`	`80`
`81`	`81`	`private function computeHash($uri)`