update minimum required PHP version to 5.6 and replace slowEquals() with native hash_equals() function
This commit is contained in:
parent
2870023e9c
commit
5d54006c9e
4 changed files with 3 additions and 37 deletions
|
@ -1,6 +1,7 @@
|
||||||
# PrivateBin version history
|
# PrivateBin version history
|
||||||
|
|
||||||
* **1.4 (not yet released)**
|
* **1.4 (not yet released)**
|
||||||
|
* CHANGED: Minimum required PHP version is 5.6, due to a change in the identicon library and to use php's native hash_equals()
|
||||||
* CHANGED: Upgrading libraries to: DOMpurify 2.0.8
|
* CHANGED: Upgrading libraries to: DOMpurify 2.0.8
|
||||||
* **1.3.2 (2020-01-11)**
|
* **1.3.2 (2020-01-11)**
|
||||||
* ADDED: Translation for Ukrainian (#533)
|
* ADDED: Translation for Ukrainian (#533)
|
||||||
|
|
|
@ -35,7 +35,7 @@ class Controller
|
||||||
*
|
*
|
||||||
* @const string
|
* @const string
|
||||||
*/
|
*/
|
||||||
const MIN_PHP_VERSION = '5.5.0';
|
const MIN_PHP_VERSION = '5.6.0';
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* show the same error message if the paste expired or does not exist
|
* show the same error message if the paste expired or does not exist
|
||||||
|
@ -276,9 +276,7 @@ class Controller
|
||||||
// accessing this method ensures that the paste would be
|
// accessing this method ensures that the paste would be
|
||||||
// deleted if it has already expired
|
// deleted if it has already expired
|
||||||
$paste->get();
|
$paste->get();
|
||||||
if (
|
if (hash_equals($paste->getDeleteToken(), $deletetoken)) {
|
||||||
Filter::slowEquals($deletetoken, $paste->getDeleteToken())
|
|
||||||
) {
|
|
||||||
// Paste exists and deletion token is valid: Delete the paste.
|
// Paste exists and deletion token is valid: Delete the paste.
|
||||||
$paste->delete();
|
$paste->delete();
|
||||||
$this->_status = 'Paste was properly deleted.';
|
$this->_status = 'Paste was properly deleted.';
|
||||||
|
|
|
@ -68,23 +68,4 @@ class Filter
|
||||||
}
|
}
|
||||||
return number_format($size, ($i ? 2 : 0), '.', ' ') . ' ' . I18n::_($iec[$i]);
|
return number_format($size, ($i ? 2 : 0), '.', ' ') . ' ' . I18n::_($iec[$i]);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* fixed time string comparison operation to prevent timing attacks
|
|
||||||
* https://crackstation.net/hashing-security.htm?=rd#slowequals
|
|
||||||
*
|
|
||||||
* @access public
|
|
||||||
* @static
|
|
||||||
* @param string $a
|
|
||||||
* @param string $b
|
|
||||||
* @return bool
|
|
||||||
*/
|
|
||||||
public static function slowEquals($a, $b)
|
|
||||||
{
|
|
||||||
$diff = strlen($a) ^ strlen($b);
|
|
||||||
for ($i = 0; $i < strlen($a) && $i < strlen($b); ++$i) {
|
|
||||||
$diff |= ord($a[$i]) ^ ord($b[$i]);
|
|
||||||
}
|
|
||||||
return $diff === 0;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -56,18 +56,4 @@ class FilterTest extends PHPUnit_Framework_TestCase
|
||||||
$this->assertEquals('1.00 YiB', Filter::formatHumanReadableSize(1024 * $exponent));
|
$this->assertEquals('1.00 YiB', Filter::formatHumanReadableSize(1024 * $exponent));
|
||||||
$this->assertEquals('1.21 YiB', Filter::formatHumanReadableSize(1234 * $exponent));
|
$this->assertEquals('1.21 YiB', Filter::formatHumanReadableSize(1234 * $exponent));
|
||||||
}
|
}
|
||||||
|
|
||||||
public function testSlowEquals()
|
|
||||||
{
|
|
||||||
$this->assertTrue(Filter::slowEquals('foo', 'foo'), 'same string');
|
|
||||||
$this->assertFalse(Filter::slowEquals('foo', true), 'string and boolean');
|
|
||||||
$this->assertFalse(Filter::slowEquals('foo', 0), 'string and integer');
|
|
||||||
$this->assertFalse(Filter::slowEquals('123foo', 123), 'string and integer');
|
|
||||||
$this->assertFalse(Filter::slowEquals('123foo', '123'), 'different strings');
|
|
||||||
$this->assertFalse(Filter::slowEquals('6', ' 6'), 'strings with space');
|
|
||||||
$this->assertFalse(Filter::slowEquals('4.2', '4.20'), 'floats as strings');
|
|
||||||
$this->assertFalse(Filter::slowEquals('1e3', '1000'), 'integers as strings');
|
|
||||||
$this->assertFalse(Filter::slowEquals('9223372036854775807', '9223372036854775808'), 'large integers as strings');
|
|
||||||
$this->assertFalse(Filter::slowEquals('61529519452809720693702583126814', '61529519452809720000000000000000'), 'larger integers as strings');
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue