PHP :: Request #67939 :: hash_equals: Don't leak length difference (PR #792)

hash_equals: Don't leak length difference (PR #792)

Submitted:

2014-08-31 00:25 UTC

Modified:

2017-03-09 19:59 UTC

Votes:	1
Avg. Score:	3.0 ± 0.0
Reproduced:	0 of 0 (0.0%)

From:

dunglas at gmail dot com

Assigned:

Status:

Wont fix

Package:

hash related

PHP Version:

5.6.0

OS:

Private report:

CVE-ID:

None

View Developer Edit

[2014-08-31 00:25 UTC] dunglas at gmail dot com

Description:
------------
https://github.com/php/php-src/pull/791

hash_equals leaks difference in length of compared strings (this is a documented behavior).
This implementation ported from Symfony don't.

The discussion started in a try to use hash_equals in Symfony: symfony/symfony#11797

Patches

Pull Requests

Pull requests:

hash_equals: Leak less lengths differences. (Bug 67939) (php-src/792)

History

AllCommentsChangesGit/SVN commitsRelated reports

[2014-08-31 00:32 UTC] dunglas at gmail dot com

-Summary: hash_equals: Don't leak length difference (PR #791) +Summary: hash_equals: Don't leak length difference (PR #792)

[2014-08-31 00:32 UTC] dunglas at gmail dot com

PR reopened against the 5.6 branch: https://github.com/php/php-src/pull/791

[2017-03-09 19:59 UTC] nikic@php.net

-Status: Open +Status: Wont fix

[2017-03-09 19:59 UTC] nikic@php.net

Marking as won't fix based on the decision in the linked PR.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sat Oct 25 15:00:01 2025 UTC