[wp-trac] [WordPress Trac] #32778: hash_equals() does not compare strings in constant time
WordPress Trac
noreply at wordpress.org
Wed Jun 24 13:51:02 UTC 2015
#32778: hash_equals() does not compare strings in constant time
--------------------------+-----------------------------
Reporter: nbachiyski | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version: trunk
Severity: normal | Keywords:
Focuses: docs |
--------------------------+-----------------------------
The phpdoc of `hash_equals` says: “Compare two strings in constant time.”
The term “constant time” is widely used in computer science and means
[https://en.wikipedia.org/wiki/Time_complexity#Constant_time O(1) time
complexity], or its running time not depending o the size of the input
data. This is not the case with `hash_equals`, where we only make sure
that input data with the same size takes the same amount of time.
The first time I saw the WordPress code it took me few minutes to
understand what was going on.
Is it possible that we steal the description from php.net: “Timing attack
safe string comparison” and link to the documentation there at:
http://php.net/hash_equals?
--
Ticket URL: <https://core.trac.wordpress.org/ticket/32778>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list