PHP :: Request #67939 :: hash_equals: Don't leak length difference (PR #792)

hash_equals: Don't leak length difference (PR #792)

Submitted:

2014-08-31 00:25 UTC

Modified:

2017-03-09 19:59 UTC

Votes:	1
Avg. Score:	3.0 ± 0.0
Reproduced:	0 of 0 (0.0%)

From:

dunglas at gmail dot com

Assigned:

Status:

Wont fix

Package:

hash related

PHP Version:

5.6.0

OS:

Private report:

CVE-ID:

None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	dunglas at gmail dot com
New email:
PHP Version:		OS:

New/Additional Comment:

[2014-08-31 00:25 UTC] dunglas at gmail dot com

Description:
------------
https://github.com/php/php-src/pull/791

hash_equals leaks difference in length of compared strings (this is a documented behavior).
This implementation ported from Symfony don't.

The discussion started in a try to use hash_equals in Symfony: symfony/symfony#11797

Patches

Pull Requests

Pull requests:

hash_equals: Leak less lengths differences. (Bug 67939) (php-src/792)

History

AllCommentsChangesGit/SVN commitsRelated reports

[2014-08-31 00:32 UTC] dunglas at gmail dot com

-Summary: hash_equals: Don't leak length difference (PR #791) +Summary: hash_equals: Don't leak length difference (PR #792)

[2014-08-31 00:32 UTC] dunglas at gmail dot com

PR reopened against the 5.6 branch: https://github.com/php/php-src/pull/791

[2017-03-09 19:59 UTC] nikic@php.net

-Status: Open +Status: Wont fix

[2017-03-09 19:59 UTC] nikic@php.net

Marking as won't fix based on the decision in the linked PR.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sat Mar 22 09:01:28 2025 UTC