php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #67939 hash_equals: Don't leak length difference (PR #792)
Submitted: 2014-08-31 00:25 UTC Modified: 2017-03-09 19:59 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: dunglas at gmail dot com Assigned:
Status: Wont fix Package: hash related
PHP Version: 5.6.0 OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: dunglas at gmail dot com
New email:
PHP Version: OS:

 

 [2014-08-31 00:25 UTC] dunglas at gmail dot com
Description:
------------
https://github.com/php/php-src/pull/791

hash_equals leaks difference in length of compared strings (this is a documented behavior).
This implementation ported from Symfony don't.

The discussion started in a try to use hash_equals in Symfony: symfony/symfony#11797



Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-08-31 00:32 UTC] dunglas at gmail dot com
-Summary: hash_equals: Don't leak length difference (PR #791) +Summary: hash_equals: Don't leak length difference (PR #792)
 [2014-08-31 00:32 UTC] dunglas at gmail dot com
PR reopened against the 5.6 branch: https://github.com/php/php-src/pull/791
 [2017-03-09 19:59 UTC] nikic@php.net
-Status: Open +Status: Wont fix
 [2017-03-09 19:59 UTC] nikic@php.net
Marking as won't fix based on the decision in the linked PR.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Apr 12 17:01:29 2024 UTC