[wp-trac] [WordPress Trac] #32778: hash_equals() does not compare strings in constant time

WordPress Trac noreply at wordpress.org
Fri Jun 26 01:09:06 UTC 2015

#32778: hash_equals() does not compare strings in constant time
 Reporter:  nbachiyski    |       Owner:
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  Awaiting Review
Component:  General       |     Version:  trunk
 Severity:  normal        |  Resolution:
 Keywords:                |     Focuses:  docs

Comment (by dd32):

 > Does it perform the same as php's hash_equals? More or less, I mean? If
 so, then equating the description is fine.

 It performs exactly the same as the PHP function - literally a port of
 that function to pure PHP.

 Given there have been several security reports of "hash_equals() is not
 constant-time when string lengths differ" (which is the intended behaviour
 - as most string lengths are known inside PHP/WordPress already, so
 preventing that is mostly pointless and complex) I'd agree that making it
 clearer in the docs is worthwhile, if it can be done :)

Ticket URL: <https://core.trac.wordpress.org/ticket/32778#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list