Re: [VOTE] Timing attack safe string comparison function

From: Date: Wed, 05 Feb 2014 20:18:17 +0000
Subject: Re: [VOTE] Timing attack safe string comparison function
Groups: php.internals 
Request: Send a blank email to [email protected] to get a copy of this message
Hi,

Incidentally, I've been doing some research on this problem, so here's
my 2 cents:

Why not add a third parameter to specify the minimum length? Something
like a time-attack-safe strncmp(). Give that parameter a sane enough
value for today and it could be increased in the future without
changing APIs and upsetting users.

+1 on E_WARNING for non-string input.

Cheers,
Andrey.


Thread (54 messages)

« previous php.internals (#72293) next »