Re: [VOTE] Timing attack safe string comparison function

From: Date: Wed, 05 Feb 2014 02:39:06 +0000
Subject: Re: [VOTE] Timing attack safe string comparison function
References: 1 2  Groups: php.internals 
Request: Send a blank email to [email protected] to get a copy of this message
Hi all,

On Tue, Feb 4, 2014 at 1:18 AM, Sara Golemon <[email protected]> wrote:

> Voted yes, but IMO the comparison function should behave a little more
> like ===.  That is: something like hash_compare(null,"") should return
> false.  Possibly be even more strict and require both input parameters
> to be string (e.g. hash_compare(123,123) would return false as well).
>

Good point!

Comment just to make sure we have better implementation.
hash_compare() should not accept anything other than string.
E_WARNING is  appropriate. IMO.
So get parameter as zval and check types before processing
is preferred.

Regards,

--
Yasuo Ohgaki
[email protected]


Thread (54 messages)

« previous php.internals (#72235) next »