php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #67939 hash_equals: Don't leak length difference (PR #792)
Submitted: 2014-08-31 00:25 UTC Modified: 2017-03-09 19:59 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: dunglas at gmail dot com Assigned:
Status: Wont fix Package: hash related
PHP Version: 5.6.0 OS:
Private report: No CVE-ID: None
 [2014-08-31 00:25 UTC] dunglas at gmail dot com
Description:
------------
https://github.com/php/php-src/pull/791

hash_equals leaks difference in length of compared strings (this is a documented behavior).
This implementation ported from Symfony don't.

The discussion started in a try to use hash_equals in Symfony: symfony/symfony#11797



Patches

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-08-31 00:32 UTC] dunglas at gmail dot com
-Summary: hash_equals: Don't leak length difference (PR #791) +Summary: hash_equals: Don't leak length difference (PR #792)
 [2014-08-31 00:32 UTC] dunglas at gmail dot com
PR reopened against the 5.6 branch: https://github.com/php/php-src/pull/791
 [2017-03-09 19:59 UTC] nikic@php.net
-Status: Open +Status: Wont fix
 [2017-03-09 19:59 UTC] nikic@php.net
Marking as won't fix based on the decision in the linked PR.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Dec 09 07:01:27 2024 UTC