Fixing timing attack vuln. on HMAC comparison (pterodactyl#409)

filipnyquist · DaneEveritt · commit 5cc28a0716c0 · 2017-04-24T16:49:03.000-04:00
diff --git a/app/Http/Middleware/HMACAuthorization.php b/app/Http/Middleware/HMACAuthorization.php
@@ -170,7 +170,7 @@ protected function validateIPAccess()
      */
     protected function validateContents()
     {
-        if (base64_decode($this->hash()) !== $this->generateSignature()) {
+        if (! hash_equals(base64_decode($this->hash()), $this->generateSignature())) {
             throw new BadRequestHttpException('The HMAC for the request was invalid.');
         }
     }

Original file line number	Diff line number	Diff line change
`@@ -170,7 +170,7 @@ protected function validateIPAccess()`
`170`	`170`	`*/`
`171`	`171`	`protected function validateContents()`
`172`	`172`	`{`
`173`		`- if (base64_decode($this->hash()) !== $this->generateSignature()) {`
	`173`	`+ if (! hash_equals(base64_decode($this->hash()), $this->generateSignature())) {`
`174`	`174`	`throw new BadRequestHttpException('The HMAC for the request was invalid.');`
`175`	`175`	`}`
`176`	`176`	`}`