[wp-trac] [WordPress Trac] #29132: improve hash_equals() introduced in r29382
WordPress Trac
noreply at wordpress.org
Wed Aug 6 13:08:27 UTC 2014
#29132: improve hash_equals() introduced in r29382
-------------------------------+-----------------------------
Reporter: Denis-de-Bernardy | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: trunk
Severity: normal | Keywords:
Focuses: |
-------------------------------+-----------------------------
The `hash_equals()` function introduced in r29382 can leak the length of
the string being compared. A potential improvement would be to add a nop
instead of returning false directly, e.g. something like:
{{{
function hash_equals( $a, $b ) {
// Do not attempt to "optimize" this.
$a_length = strlen($a);
for ( $i = 0; $i < $a_length; $i++ ) {
$result |= isset( $b[$i] ) && ( ord( $a[ $i ] ) ^ ord( $b[
$i ] ) );
}
return $result === 0;
}
}}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/29132>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list