update minimum required PHP version to 5.6 and replace slowEquals() with native hash_equals() function

This commit is contained in:
El RIDO 2020-02-05 19:30:14 +01:00
parent 2870023e9c
commit 5d54006c9e
No known key found for this signature in database
GPG key ID: 0F5C940A6BD81F92
4 changed files with 3 additions and 37 deletions

View file

@ -1,6 +1,7 @@
# PrivateBin version history # PrivateBin version history
* **1.4 (not yet released)** * **1.4 (not yet released)**
* CHANGED: Minimum required PHP version is 5.6, due to a change in the identicon library and to use php's native hash_equals()
* CHANGED: Upgrading libraries to: DOMpurify 2.0.8 * CHANGED: Upgrading libraries to: DOMpurify 2.0.8
* **1.3.2 (2020-01-11)** * **1.3.2 (2020-01-11)**
* ADDED: Translation for Ukrainian (#533) * ADDED: Translation for Ukrainian (#533)

View file

@ -35,7 +35,7 @@ class Controller
* *
* @const string * @const string
*/ */
const MIN_PHP_VERSION = '5.5.0'; const MIN_PHP_VERSION = '5.6.0';
/** /**
* show the same error message if the paste expired or does not exist * show the same error message if the paste expired or does not exist
@ -276,9 +276,7 @@ class Controller
// accessing this method ensures that the paste would be // accessing this method ensures that the paste would be
// deleted if it has already expired // deleted if it has already expired
$paste->get(); $paste->get();
if ( if (hash_equals($paste->getDeleteToken(), $deletetoken)) {
Filter::slowEquals($deletetoken, $paste->getDeleteToken())
) {
// Paste exists and deletion token is valid: Delete the paste. // Paste exists and deletion token is valid: Delete the paste.
$paste->delete(); $paste->delete();
$this->_status = 'Paste was properly deleted.'; $this->_status = 'Paste was properly deleted.';

View file

@ -68,23 +68,4 @@ class Filter
} }
return number_format($size, ($i ? 2 : 0), '.', ' ') . ' ' . I18n::_($iec[$i]); return number_format($size, ($i ? 2 : 0), '.', ' ') . ' ' . I18n::_($iec[$i]);
} }
/**
* fixed time string comparison operation to prevent timing attacks
* https://crackstation.net/hashing-security.htm?=rd#slowequals
*
* @access public
* @static
* @param string $a
* @param string $b
* @return bool
*/
public static function slowEquals($a, $b)
{
$diff = strlen($a) ^ strlen($b);
for ($i = 0; $i < strlen($a) && $i < strlen($b); ++$i) {
$diff |= ord($a[$i]) ^ ord($b[$i]);
}
return $diff === 0;
}
} }

View file

@ -56,18 +56,4 @@ class FilterTest extends PHPUnit_Framework_TestCase
$this->assertEquals('1.00 YiB', Filter::formatHumanReadableSize(1024 * $exponent)); $this->assertEquals('1.00 YiB', Filter::formatHumanReadableSize(1024 * $exponent));
$this->assertEquals('1.21 YiB', Filter::formatHumanReadableSize(1234 * $exponent)); $this->assertEquals('1.21 YiB', Filter::formatHumanReadableSize(1234 * $exponent));
} }
public function testSlowEquals()
{
$this->assertTrue(Filter::slowEquals('foo', 'foo'), 'same string');
$this->assertFalse(Filter::slowEquals('foo', true), 'string and boolean');
$this->assertFalse(Filter::slowEquals('foo', 0), 'string and integer');
$this->assertFalse(Filter::slowEquals('123foo', 123), 'string and integer');
$this->assertFalse(Filter::slowEquals('123foo', '123'), 'different strings');
$this->assertFalse(Filter::slowEquals('6', ' 6'), 'strings with space');
$this->assertFalse(Filter::slowEquals('4.2', '4.20'), 'floats as strings');
$this->assertFalse(Filter::slowEquals('1e3', '1000'), 'integers as strings');
$this->assertFalse(Filter::slowEquals('9223372036854775807', '9223372036854775808'), 'large integers as strings');
$this->assertFalse(Filter::slowEquals('61529519452809720693702583126814', '61529519452809720000000000000000'), 'larger integers as strings');
}
} }