diff options
| author | Brion Vibber <brion@pobox.com> | 2010-07-19 16:47:49 -0700 |
|---|---|---|
| committer | Brion Vibber <brion@pobox.com> | 2010-07-19 16:47:49 -0700 |
| commit | f0620a74c8a1a25ceb957819e528ef5a7d044d6e (patch) | |
| tree | 086ff00c6e4471d3cfc03b1bf884b164e28e52bb /extlib/OAuth.php | |
| parent | d51820adc52aef962542ecc6da0607ce0118fefc (diff) | |
Provisional OAuth, OpenID token check timing attack patches
Diffstat (limited to 'extlib/OAuth.php')
| -rw-r--r-- | extlib/OAuth.php | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/extlib/OAuth.php b/extlib/OAuth.php index 648627b57..04984d5fa 100644 --- a/extlib/OAuth.php +++ b/extlib/OAuth.php @@ -54,6 +54,24 @@ class OAuthSignatureMethod {/*{{{*/ public function check_signature(&$request, $consumer, $token, $signature) { $built = $this->build_signature($request, $consumer, $token); return $built == $signature; + + // Check for zero length, although unlikely here + if (strlen($built) == 0 || strlen($signature) == 0) { + return false; + } + + if (strlen($built) != strlen($signature)) { + return false; + } + + $result = 0; + + // Avoid a timing leak with a (hopefully) time insensitive compare + for ($i = 0; $i < strlen($signature); $i++) { + $result |= ord($built{$i}) ^ ord($signature{$i}); + } + + return $result == 0; } }/*}}}*/ |