diff options
| author |   Marc Alexander <admin@m-a-styles.de> | 2015-06-04 17:16:22 +0200 |
|---|---|---|
| committer | Marc Alexander <admin@m-a-styles.de> | 2015-06-04 17:16:22 +0200 |
| commit | fb94bd11fbffb1342cb094e76899a01180d56917 (patch) | |
| tree | a4f46e7405fc326475b29eab8140f4c5d658b752 /phpBB/phpbb/passwords | |
| parent | [ticket/13917] Use hash_equals() if it's available (diff) | |
| download | phpbb-fb94bd11fbffb1342cb094e76899a01180d56917.tar.gz phpbb-fb94bd11fbffb1342cb094e76899a01180d56917.tar.bz2 phpbb-fb94bd11fbffb1342cb094e76899a01180d56917.zip | |
[ticket/13917] Do not pass non-string variables to hash_equals()
PHPBB3-13917
Diffstat (limited to 'phpBB/phpbb/passwords')
| -rw-r--r-- | phpBB/phpbb/passwords/driver/helper.php | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/phpBB/phpbb/passwords/driver/helper.php b/phpBB/phpbb/passwords/driver/helper.php index a99541233f..f80c3e3df6 100644 --- a/phpBB/phpbb/passwords/driver/helper.php +++ b/phpBB/phpbb/passwords/driver/helper.php @@ -153,17 +153,23 @@ class helper */ public function string_compare($string_a, $string_b) { + // Return if input variables are not strings or if length does not match + if (!is_string($string_a) || !is_string($string_b) || strlen($string_a) != strlen($string_b)) + { + return false; + } + // Use hash_equals() if it's available if (function_exists('hash_equals')) { return hash_equals($string_a, $string_b); } - $difference = strlen($string_a) != strlen($string_b); + $difference = 0; for ($i = 0; $i < strlen($string_a) && $i < strlen($string_b); $i++) { - $difference |= $string_a[$i] != $string_b[$i]; + $difference |= ord($string_a[$i]) ^ ord($string_b[$i]); } return $difference === 0; |