File tree Expand file tree Collapse file tree 2 files changed +3
-28
lines changed Expand file tree Collapse file tree 2 files changed +3
-28
lines changed Original file line number Diff line number Diff line change 1- Securely Comparing Strings and Generating Random Numbers
2- ========================================================
1+ Securely Generating Random Numbers
2+ ==================================
33
44The Symfony Security component comes with a collection of nice utilities
55related to security. These utilities are used by Symfony, but you should
66also use them if you want to solve the problem they address.
77
8- Comparing Strings
9- ~~~~~~~~~~~~~~~~~
10-
11- The time it takes to compare two strings depends on their differences. This
12- can be used by an attacker when the two strings represent a password for
13- instance; it is known as a `Timing attack `_.
14-
15- Internally, when comparing two passwords, Symfony uses a constant-time
16- algorithm; you can use the same strategy in your own code thanks to the
17- :class: `Symfony\\ Component\\ Security\\ Core\\ Util\\ StringUtils ` class::
18-
19- use Symfony\Component\Security\Core\Util\StringUtils;
20-
21- // is some known string (e.g. password) equal to some user input?
22- $bool = StringUtils::equals($knownString, $userInput);
23-
248Generating a Secure random Number
259~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2610
Original file line number Diff line number Diff line change @@ -214,7 +214,6 @@ the ``PasswordDigest`` header value matches with the user's password.
214214 use Symfony\Component\Security\Core\Exception\NonceExpiredException;
215215 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
216216 use AppBundle\Security\Authentication\Token\WsseUserToken;
217- use Symfony\Component\Security\Core\Util\StringUtils;
218217
219218 class WsseProvider implements AuthenticationProviderInterface
220219 {
@@ -273,7 +272,7 @@ the ``PasswordDigest`` header value matches with the user's password.
273272 // Validate Secret
274273 $expected = base64_encode(sha1(base64_decode($nonce).$created.$secret, true));
275274
276- return StringUtils::equals ($expected, $digest);
275+ return hash_equals ($expected, $digest);
277276 }
278277
279278 public function supports(TokenInterface $token)
@@ -290,14 +289,6 @@ the ``PasswordDigest`` header value matches with the user's password.
290289 provider for the given token. In the case of multiple providers, the
291290 authentication manager will then move to the next provider in the list.
292291
293- .. note ::
294-
295- The comparison of the expected and the provided digests uses a constant
296- time comparison provided by the
297- :method: `Symfony\\ Component\\ Security\\ Core\\ Util\\ StringUtils::equals `
298- method of the ``StringUtils `` class. It is used to mitigate possible
299- `timing attacks `_.
300-
301292The Factory
302293-----------
303294
You can’t perform that action at this time.
0 commit comments