[#4206] - Use hash_equals for constant-time string comparison
- Closed
- 23 Aug 2015
- Medium
- Build: staging
- # 4206
- Diff
- dunglas:hash_equals
- Error The Travis CI build could not complete due to an error Details
User tests: Successful: Unsuccessful:
Use the hash_equals function (introduced in PHP 5.6) for timing attack safe string comparison when available.
Add in the DocBlock that length will leak (see php/php-src#792).
jissues-bot
- | Labels |
Added:
?
|
||
for using native hash_equals() if it exists.
| Category | ⇒ | Libraries |
Can you please provide test instructions?
This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/4206.
As this requires php 5.6 which is higher than our minimum requirement how can this be merged?
Setting to Needs Review so the CMS maintainers can make a decision
This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/4206.
| Status | Pending | ⇒ | Needs Review |
As this requires php 5.6 which is higher than our minimum requirement how can this be merged?
Have you even read what the pull request does? It's wrapped inside of a if (function_exists('hash_equals')) block...
The PR looks good, but please update the PR to latest staging so that Travis is run and can give us a proper result.
I don't see an issue with this. We've done similar things in the past where we use native PHP functions conditionally and fallback to something else if it isn't available. As requested previously though, can this PR be sync'd with the staging branch so it can be properly tested by both users and the CI suite? Also, there is one codestyle issue to fix; the opening bracket for the if statement should be on a new line.
| Status | Needs Review | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2015-08-23 17:38:10 |
| Closed_By | ⇒ | zero-24 |
#3832
Similar issue, alternative fix, we received a while back (less good but full PHP version support)