8000 security #cve-2019-18887 [HttpKernel] Use constant time comparison in… · symfony/symfony@d41bd42 · GitHub
[go: up one dir, main page]
Skip to content

Commit d41bd42

Browse files
nicolas-grekasnicolas-grekas
committed
security #cve-2019-18887 [HttpKernel] Use constant time comparison in UriSigner (stof)
This PR was merged into the 2.8 branch.
2 parents 78d86f8 + 9a50fc5 commit d41bd42

File tree

2 files changed

+2
-1
lines changed

2 files changed

+2
-1
lines changed

src/Symfony/Component/HttpKernel/UriSigner.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -75,7 +75,7 @@ public function check($uri)
7575
$hash = urlencode($params['_hash']);
7676
unset($params['_hash']);
7777

78-
return $this->computeHash($this->buildUrl($url, $params)) === $hash;
78+
return hash_equals($this->computeHash($this->buildUrl($url, $params)), $hash);
7979
}
8080

8181
private function computeHash($uri)

src/Symfony/Component/HttpKernel/composer.json

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,7 @@
2121
"symfony/http-foundation": "~2.7.36|~2.8.29|~3.1.6",
2222
"symfony/debug": "^2.6.2",
2323
"symfony/polyfill-ctype": "~1.8",
24+
"symfony/polyfill-php56": "< 4CF8 /span>~1.8",
2425
"psr/log": "~1.0"
2526
},
2627
"require-dev": {

0 commit comments

Comments
 (0)
0