2014.03.18. 17:14, "Adam Harvey" <[email protected]> ezt írta:
>
> On 18 March 2014 04:23, Rouven Weßling <[email protected]> wrote:
> >
> > On 18.03.2014, at 02:04, Yasuo Ohgaki <[email protected]> wrote:
> >
> > > On Mon, Feb 3, 2014 at 7:50 AM, Rouven Weßling <[email protected]>
wrote:
> > >>
> > >> as I've received no further feedback I've opened the voting on
"Timing
> > >> attack safe string comparison function":
> > >>
> > >> - https://wiki.php.net/rfc/timing_attack
> > >
> > > Is there any progress?
> >
> > The pull request (https://github.com/php/php-src/pull/608) for that RFC
is waiting to be merged, I hope someone gets to it before beta1.
>
> I'll look at merging it today.
>
> > > From benchmark result, overhead for timing safe comparison is
negligible
> > > with byte by byte comparison.
> > > I would like to see timing safe "===" for 5.6, if it's possible.. (==
could
> > > be timing safe, too)
> > >
> > > Is anyone working on it?
> >
> > I don't know if someone else is, but I am not.
>
> I'm not in favour of this — identity doesn't imply timing safety, and
> I think we should keep operators as performant as possible.
>
Agree and afair it was explicitly stated as out of scope for this rfc.
(sorry for not merging this sooner, thanks Adam for thaking care of this).