diff --git a/CHANGELOG.md b/CHANGELOG.md index a6a80c68..d5818f40 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,7 @@ # PrivateBin version history * **1.4 (not yet released)** + * CHANGED: Minimum required PHP version is 5.6, due to a change in the identicon library and to use php's native hash_equals() * CHANGED: Upgrading libraries to: DOMpurify 2.0.8 * **1.3.2 (2020-01-11)** * ADDED: Translation for Ukrainian (#533) diff --git a/lib/Controller.php b/lib/Controller.php index 18e58522..473853f9 100644 --- a/lib/Controller.php +++ b/lib/Controller.php @@ -35,7 +35,7 @@ class Controller * * @const string */ - const MIN_PHP_VERSION = '5.5.0'; + const MIN_PHP_VERSION = '5.6.0'; /** * show the same error message if the paste expired or does not exist @@ -276,9 +276,7 @@ class Controller // accessing this method ensures that the paste would be // deleted if it has already expired $paste->get(); - if ( - Filter::slowEquals($deletetoken, $paste->getDeleteToken()) - ) { + if (hash_equals($paste->getDeleteToken(), $deletetoken)) { // Paste exists and deletion token is valid: Delete the paste. $paste->delete(); $this->_status = 'Paste was properly deleted.'; diff --git a/lib/Filter.php b/lib/Filter.php index 19aeb38d..26892c79 100644 --- a/lib/Filter.php +++ b/lib/Filter.php @@ -68,23 +68,4 @@ class Filter } return number_format($size, ($i ? 2 : 0), '.', ' ') . ' ' . I18n::_($iec[$i]); } - - /** - * fixed time string comparison operation to prevent timing attacks - * https://crackstation.net/hashing-security.htm?=rd#slowequals - * - * @access public - * @static - * @param string $a - * @param string $b - * @return bool - */ - public static function slowEquals($a, $b) - { - $diff = strlen($a) ^ strlen($b); - for ($i = 0; $i < strlen($a) && $i < strlen($b); ++$i) { - $diff |= ord($a[$i]) ^ ord($b[$i]); - } - return $diff === 0; - } } diff --git a/tst/FilterTest.php b/tst/FilterTest.php index 96097a02..284802f0 100644 --- a/tst/FilterTest.php +++ b/tst/FilterTest.php @@ -56,18 +56,4 @@ class FilterTest extends PHPUnit_Framework_TestCase $this->assertEquals('1.00 YiB', Filter::formatHumanReadableSize(1024 * $exponent)); $this->assertEquals('1.21 YiB', Filter::formatHumanReadableSize(1234 * $exponent)); } - - public function testSlowEquals() - { - $this->assertTrue(Filter::slowEquals('foo', 'foo'), 'same string'); - $this->assertFalse(Filter::slowEquals('foo', true), 'string and boolean'); - $this->assertFalse(Filter::slowEquals('foo', 0), 'string and integer'); - $this->assertFalse(Filter::slowEquals('123foo', 123), 'string and integer'); - $this->assertFalse(Filter::slowEquals('123foo', '123'), 'different strings'); - $this->assertFalse(Filter::slowEquals('6', ' 6'), 'strings with space'); - $this->assertFalse(Filter::slowEquals('4.2', '4.20'), 'floats as strings'); - $this->assertFalse(Filter::slowEquals('1e3', '1000'), 'integers as strings'); - $this->assertFalse(Filter::slowEquals('9223372036854775807', '9223372036854775808'), 'large integers as strings'); - $this->assertFalse(Filter::slowEquals('61529519452809720693702583126814', '61529519452809720000000000000000'), 'larger integers as strings'); - } }