[wp-trac] [WordPress Trac] #32778: hash_equals() does not compare strings in constant time

WordPress Trac noreply at wordpress.org
Wed Jun 24 13:51:02 UTC 2015

#32778: hash_equals() does not compare strings in constant time
 Reporter:  nbachiyski    |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  General       |    Version:  trunk
 Severity:  normal        |   Keywords:
  Focuses:  docs          |
 The phpdoc of `hash_equals` says: “Compare two strings in constant time.”

 The term “constant time” is widely used in computer science and means
 [https://en.wikipedia.org/wiki/Time_complexity#Constant_time O(1) time
 complexity], or its running time not depending o the size of the input
 data. This is not the case with `hash_equals`, where we only make sure
 that input data with the same size takes the same amount of time.

 The first time I saw the WordPress code it took me few minutes to
 understand what was going on.

 Is it possible that we steal the description from php.net: “Timing attack
 safe string comparison” and link to the documentation there at:

Ticket URL: <https://core.trac.wordpress.org/ticket/32778>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list