PHP :: Request #67939 :: hash_equals: Don't leak length difference (PR #792)

hash_equals: Don't leak length difference (PR #792)

Submitted:

2014-08-31 00:25 UTC

Modified:

2017-03-09 19:59 UTC

Votes:	1
Avg. Score:	3.0 ± 0.0
Reproduced:	0 of 0 (0.0%)

From:

dunglas at gmail dot com

Assigned:

Status:

Wont fix

Package:

hash related

PHP Version:

5.6.0

OS:

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	dunglas at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2014-08-31 00:25 UTC] dunglas at gmail dot com

Description:
------------
https://github.com/php/php-src/pull/791

hash_equals leaks difference in length of compared strings (this is a documented behavior).
This implementation ported from Symfony don't.

The discussion started in a try to use hash_equals in Symfony: symfony/symfony#11797

Patches

Pull Requests

Pull requests:

hash_equals: Leak less lengths differences. (Bug 67939) (php-src/792)

History

AllCommentsChangesGit/SVN commitsRelated reports

[2014-08-31 00:32 UTC] dunglas at gmail dot com

-Summary: hash_equals: Don't leak length difference (PR #791) +Summary: hash_equals: Don't leak length difference (PR #792)

[2014-08-31 00:32 UTC] dunglas at gmail dot com

PR reopened against the 5.6 branch: https://github.com/php/php-src/pull/791

[2017-03-09 19:59 UTC] nikic@php.net

-Status: Open +Status: Wont fix

[2017-03-09 19:59 UTC] nikic@php.net

Marking as won't fix based on the decision in the linked PR.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sun Dec 22 03:01:28 2024 UTC