[wp-trac] [WordPress Trac] #29132: improve hash_equals() introduced in r29382
WordPress Trac
noreply at wordpress.org
Wed Aug 6 16:44:56 UTC 2014
#29132: improve hash_equals() introduced in r29382
-------------------------------+----------------------
Reporter: Denis-de-Bernardy | Owner:
Type: enhancement | Status: closed
Priority: normal | Milestone:
Component: Security | Version: trunk
Severity: normal | Resolution: wontfix
Keywords: | Focuses:
-------------------------------+----------------------
Changes (by nacin):
* status: new => closed
* resolution: => wontfix
* milestone: Awaiting Review =>
Comment:
It looks like that might still leak the length. That said, you're right in
that it is pretty easy to make this not leak the length. Some (but not
all) other time-constant comparison functions in the PHP world do this.
However, PHP 5.6's implementation specifically [https://github.com/php
/php-
src/blob/68e479b94d2ee48935726dab4bcc118e75feccab/ext/hash/hash.c#L734
does *not* protect] the length. Because this is a "compat" layer for a
core PHP function, we decided to mirror it as closely as possible, for
better or worse. Otherwise, you might be using it thinking it protects the
length when by PHP 5.6 it will not.
Incidentally, the length is often known in these situations anyway, and is
known for where we are using it.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/29132#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list