mirror of
https://github.com/phpbb/phpbb.git
synced 2025-06-28 14:18:52 +00:00
[ticket/13917] Do not pass non-string variables to hash_equals()
PHPBB3-13917
This commit is contained in:
Marc Alexander
parent
852337cacd
commit
fb94bd11fb
1 changed files with 8 additions and 2 deletions
|
|
@ -153,17 +153,23 @@ class helper
|
||||||
*/
|
*/
|
||||||
public function string_compare($string_a, $string_b)
|
public function string_compare($string_a, $string_b)
|
||||||
{
|
{
|
||||||
|
// Return if input variables are not strings or if length does not match
|
||||||
|
if (!is_string($string_a) || !is_string($string_b) || strlen($string_a) != strlen($string_b))
|
||||||
|
{
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
// Use hash_equals() if it's available
|
// Use hash_equals() if it's available
|
||||||
if (function_exists('hash_equals'))
|
if (function_exists('hash_equals'))
|
||||||
{
|
{
|
||||||
return hash_equals($string_a, $string_b);
|
return hash_equals($string_a, $string_b);
|
||||||
}
|
}
|
||||||
|
|
||||||
$difference = strlen($string_a) != strlen($string_b);
|
$difference = 0;
|
||||||
|
|
||||||
for ($i = 0; $i < strlen($string_a) && $i < strlen($string_b); $i++)
|
for ($i = 0; $i < strlen($string_a) && $i < strlen($string_b); $i++)
|
||||||
{
|
{
|
||||||
$difference |= $string_a[$i] != $string_b[$i];
|
$difference |= ord($string_a[$i]) ^ ord($string_b[$i]);
|
||||||
}
|
}
|
||||||
|
|
||||||
return $difference === 0;
|
return $difference === 0;
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue