Skip to content

n/a #16630

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Nov 23, 2015
Merged

n/a #16630

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
f1fd768
fix potential timing attack issue
xabbuh Nov 10, 2015
557ea17
mitigate CSRF timing attack vulnerability
xabbuh Nov 10, 2015
819aa54
prevent timing attacks in digest auth listener
xabbuh Nov 10, 2015
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 13 additions & 1 deletion src/Symfony/Component/Form/Extension/Csrf/CsrfProvider/DefaultCsrfProvider.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,8 @@

namespace Symfony\Component\Form\Extension\Csrf\CsrfProvider;

use Symfony\Component\Security\Core\Util\StringUtils;

/**
* Default implementation of CsrfProviderInterface.
*
Expand Down Expand Up @@ -54,7 +56,17 @@ public function generateCsrfToken($intention)
*/
public function isCsrfTokenValid($intention, $token)
{
return $token === $this->generateCsrfToken($intention);
$expectedToken = $this->generateCsrfToken($intention);

if (function_exists('hash_equals')) {
return hash_equals($expectedToken, $token);
}

if (class_exists('Symfony\Component\Security\Core\Util\StringUtils')) {
return StringUtils::equals($expectedToken, $token);
}

return $token === $expectedToken;
}

/**
Expand Down
3 changes: 2 additions & 1 deletion src/Symfony/Component/Security/Http/Firewall/DigestAuthenticationListener.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@

use Symfony\Component\Security\Core\SecurityContextInterface;
use Symfony\Component\Security\Core\User\UserProviderInterface;
use Symfony\Component\Security\Core\Util\StringUtils;
use Symfony\Component\Security\Http\EntryPoint\DigestAuthenticationEntryPoint;
use Psr\Log\LoggerInterface;
use Symfony\Component\HttpKernel\Event\GetResponseEvent;
Expand Down Expand Up @@ -99,7 +100,7 @@ public function handle(GetResponseEvent $event)
return;
}

if ($serverDigestMd5 !== $digestAuth->getResponse()) {
if (!StringUtils::equals($serverDigestMd5, $digestAuth->getResponse())) {
if (null !== $this->logger) {
$this->logger->debug(sprintf('Expected response: "%s" but received: "%s"; is AuthenticationDao returning clear text passwords?', $serverDigestMd5, $digestAuth->getResponse()));
}
Expand Down
3 changes: 2 additions & 1 deletion src/Symfony/Component/Security/Http/RememberMe/PersistentTokenBasedRememberMeServices.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Util\SecureRandomInterface;
use Psr\Log\LoggerInterface;
use Symfony\Component\Security\Core\Util\StringUtils;

/**
* Concrete implementation of the RememberMeServicesInterface which needs
Expand Down Expand Up @@ -90,7 +91,7 @@ protected function processAutoLoginCookie(array $cookieParts, Request $request)
list($series, $tokenValue) = $cookieParts;
$persistentToken = $this->tokenProvider->loadTokenBySeries($series);

if ($persistentToken->getTokenValue() !== $tokenValue) {
if (!StringUtils::equals($persistentToken->getTokenValue(), $tokenValue)) {
throw new CookieTheftException('This token was already used. The account is possibly compromised.');
}

Expand Down
28 changes: 2 additions & 26 deletions src/Symfony/Component/Security/Http/RememberMe/TokenBasedRememberMeServices.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Exception\AuthenticationException;
use Symfony\Component\Security\Core\User\UserInterface;
use Symfony\Component\Security\Core\Util\StringUtils;

/**
* Concrete implementation of the RememberMeServicesInterface providing
Expand Down Expand Up @@ -53,7 +54,7 @@ protected function processAutoLoginCookie(array $cookieParts, Request $request)
throw new \RuntimeException(sprintf('The UserProviderInterface implementation must return an instance of UserInterface, but returned "%s".', get_class($user)));
}

if (true !== $this->compareHashes($hash, $this->generateCookieHash($class, $username, $expires, $user->getPassword()))) {
if (!StringUtils::equals($this->generateCookieHash($class, $username, $expires, $user->getPassword()), $hash)) {
throw new AuthenticationException('The cookie\'s hash is invalid.');
}

Expand All @@ -64,31 +65,6 @@ protected function processAutoLoginCookie(array $cookieParts, Request $request)
return $user;
}

/**
* Compares two hashes using a constant-time algorithm to avoid (remote)
* timing attacks.
*
* This is the same implementation as used in the BasePasswordEncoder.
*
* @param string $hash1 The first hash
* @param string $hash2 The second hash
*
* @return bool true if the two hashes are the same, false otherwise
*/
private function compareHashes($hash1, $hash2)
{
if (strlen($hash1) !== $c = strlen($hash2)) {
return false;
}

$result = 0;
for ($i = 0; $i < $c; ++$i) {
$result |= ord($hash1[$i]) ^ ord($hash2[$i]);
}

return 0 === $result;
}

/**
* {@inheritdoc}
*/
Expand Down
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy