[wp-trac] [WordPress Trac] #32778: hash_equals() does not compare strings in constant time
WordPress Trac
noreply at wordpress.org
Fri Jun 26 01:09:06 UTC 2015
#32778: hash_equals() does not compare strings in constant time
--------------------------+------------------------------
Reporter: nbachiyski | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version: trunk
Severity: normal | Resolution:
Keywords: | Focuses: docs
--------------------------+------------------------------
Comment (by dd32):
> Does it perform the same as php's hash_equals? More or less, I mean? If
so, then equating the description is fine.
It performs exactly the same as the PHP function - literally a port of
that function to pure PHP.
Given there have been several security reports of "hash_equals() is not
constant-time when string lengths differ" (which is the intended behaviour
- as most string lengths are known inside PHP/WordPress already, so
preventing that is mostly pointless and complex) I'd agree that making it
clearer in the docs is worthwhile, if it can be done :)
--
Ticket URL: <https://core.trac.wordpress.org/ticket/32778#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list