bugfix: SimpleSAML\Utils\Crypto returns true for different strings us…

…ing PHP < 5.6. The reason was the lack of conversion to integer for each character of the strings before applying the XOR operator to them. The operator returns always an empty string when applied to two characters, and applying a binary-wise OR between 0 and an empty string, yields 0. Therefore, $diff is always 0, and the function returns true for every two strings with same length, regardless of their contents.
simplesamlphp · May 5, 2017 · 4bc6296 · 4bc6296
1 parent f931e2e
commit 4bc6296
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/lib/SimpleSAML/Utils/Crypto.php b/lib/SimpleSAML/Utils/Crypto.php
@@ -404,8 +404,8 @@ public static function secureCompare($known, $user)
             return false; // length differs
         }
         $diff = 0;
-        for ($i = 0; $i < $len; ++$i) {
-            $diff |= $known[$i] ^ $user[$i];
+        for ($i = 0; $i < $len; $i++) {
+            $diff |= ord($known[$i]) ^ ord($user[$i]);
         }
         // if all the bytes in $a and $b are identical, $diff should be equal to 0
         return $diff === 0;