Update CSRF comparison to use hash_equals()

SammyK · SammyK · commit 3858c7e21b5b · 2016-02-09T16:20:15.000-06:00
diff --git a/src/Facebook/Helpers/FacebookRedirectLoginHelper.php b/src/Facebook/Helpers/FacebookRedirectLoginHelper.php
@@ -235,27 +235,19 @@ public function getAccessToken($redirectUrl = null)
     protected function validateCsrf()
     {
         $state = $this->getState();
-        $savedState = $this->persistentDataHandler->get('state');
-
-        if (!$state || !$savedState) {
-            throw new FacebookSDKException('Cross-site request forgery validation failed. Required param "state" missing.');
+        if (!$state) {
+            throw new FacebookSDKException('Cross-site request forgery validation failed. Required GET param "state" missing.');
         }
-
-        $savedLen = strlen($savedState);
-        $givenLen = strlen($state);
-
-        if ($savedLen !== $givenLen) {
-            throw new FacebookSDKException('Cross-site request forgery validation failed. The "state" param from the URL and session do not match.');
+        $savedState = $this->persistentDataHandler->get('state');
+        if (!$savedState) {
+            throw new FacebookSDKException('Cross-site request forgery validation failed. Required param "state" missing from persistent data.');
         }
 
-        $result = 0;
-        for ($i = 0; $i < $savedLen; $i++) {
-            $result |= ord($state[$i]) ^ ord($savedState[$i]);
+        if (\hash_equals($savedState, $state)) {
+            return;
         }
 
-        if ($result !== 0) {
-            throw new FacebookSDKException('Cross-site request forgery validation failed. The "state" param from the URL and session do not match.');
-        }
+        throw new FacebookSDKException('Cross-site request forgery validation failed. The "state" param from the URL and session do not match.');
     }
 
     /**
