From f0620a74c8a1a25ceb957819e528ef5a7d044d6e Mon Sep 17 00:00:00 2001
From: Brion Vibber <brion@pobox.com>
Date: Mon, 19 Jul 2010 16:47:49 -0700
Subject: Provisional OAuth, OpenID token check timing attack patches

---
 extlib/OAuth.php | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

(limited to 'extlib/OAuth.php')

diff --git a/extlib/OAuth.php b/extlib/OAuth.php
index 648627b57..04984d5fa 100644
--- a/extlib/OAuth.php
+++ b/extlib/OAuth.php
@@ -54,6 +54,24 @@ class OAuthSignatureMethod {/*{{{*/
   public function check_signature(&$request, $consumer, $token, $signature) {
     $built = $this->build_signature($request, $consumer, $token);
     return $built == $signature;
+
+    // Check for zero length, although unlikely here
+    if (strlen($built) == 0 || strlen($signature) == 0) {
+      return false;
+    }
+
+    if (strlen($built) != strlen($signature)) {
+      return false;
+    }
+
+    $result = 0;
+
+    // Avoid a timing leak with a (hopefully) time insensitive compare
+    for ($i = 0; $i < strlen($signature); $i++) {
+      $result |= ord($built{$i}) ^ ord($signature{$i});
+    }
+
+    return $result == 0;
   }
 }/*}}}*/
 
-- 
cgit v1.2.3-54-g00ecf