Advertisement
Guest User

Untitled

a guest
Jun 24th, 2017
68
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PHP 1.26 KB | None | 0 0
  1. diff --git modules/openid/openid.inc modules/openid/openid.inc
  2. index 9223a4d..ba89a00 100644
  3. --- modules/openid/openid.inc
  4. +++ modules/openid/openid.inc
  5. @@ -443,3 +443,29 @@ if (!function_exists('bcpowmod')) {
  6.      return $result;
  7.    }
  8.  }
  9. +
  10. +/**
  11. + * Compare two strings of equal length in constant time.
  12. + *
  13. + * @param $a
  14. + *   String to compare with $b.
  15. + * @param $b
  16. + *   String to compare with $a.
  17. + *
  18. + * @return
  19. + *   TRUE if the strings are equal, FALSE otherwise.
  20. + *
  21. + */
  22. +function _openid_string_compare($a, $b) {
  23. +  $alen = strlen($a);
  24. +  if ($alen != strlen($b)) {
  25. +    return FALSE;
  26. +  }
  27. +
  28. +  $result = 0;
  29. +  for ($i = 0 ; $i < $alen; $i++) {
  30. +    $result |= (ord($a[$i]) ^ ord($b[$i]));
  31. +  }
  32. +  return $result == 0;
  33. +}
  34. +
  35. diff --git modules/openid/openid.module modules/openid/openid.module
  36. index 9886487..34a45d5 100644
  37. --- modules/openid/openid.module
  38. +++ modules/openid/openid.module
  39. @@ -585,7 +611,7 @@ function openid_verify_assertion_signature($service, $association, $response) {
  40.      return FALSE;
  41.    }
  42.  
  43. -  return _openid_signature($association, $response, $keys_to_sign) == $response['openid.sig'];
  44. +  return _openid_string_compare(_openid_signature($association, $response, $keys_to_sign), $response['openid.sig']);
  45.  }
  46.  
  47.  /**
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement