Time attack protection on hmac comparison

This fixes issue 2.7 of https://defuse.ca/audits/zerobin.htm, and thus
(with commit a24212afda90ca3e4b4ff5ce30d2012709b58a28) also issue 2.8.

(cherry picked from commit 0b4db7ece313dd268e51fc47a0293a649927558a)

Conflicts:
	index.php

tst/filter.php

@@ -44,4 +44,25 @@ class filterTest extends PHPUnit_Framework_TestCase
         $this->assertEquals('1.00 YiB', filter::size_humanreadable(1024 * $exponent));
         $this->assertEquals('1.21 YiB', filter::size_humanreadable(1234 * $exponent));
     }
+
+    public function testPasteIdValidation()
+    {
+        $this->assertTrue(filter::is_valid_paste_id('a242ab7bdfb2581a'), 'valid paste id');
+        $this->assertFalse(filter::is_valid_paste_id('foo'), 'invalid hex values');
+        $this->assertFalse(filter::is_valid_paste_id('../bar/baz'), 'path attack');
+    }
+
+    public function testSlowEquals()
+    {
+        $this->assertTrue(filter::slow_equals('foo', 'foo'), 'same string');
+        $this->assertFalse(filter::slow_equals('foo', true), 'string and boolean');
+        $this->assertFalse(filter::slow_equals('foo', 0), 'string and integer');
+        $this->assertFalse(filter::slow_equals('123foo', 123), 'string and integer');
+        $this->assertFalse(filter::slow_equals('123foo', '123'), 'different strings');
+        $this->assertFalse(filter::slow_equals('6', ' 6'), 'strings with space');
+        $this->assertFalse(filter::slow_equals('4.2', '4.20'), 'floats as strings');
+        $this->assertFalse(filter::slow_equals('1e3', '1000'), 'integers as strings');
+        $this->assertFalse(filter::slow_equals('9223372036854775807', '9223372036854775808'), 'large integers as strings');
+        $this->assertFalse(filter::slow_equals('61529519452809720693702583126814', '61529519452809720000000000000000'), 'larger integers as strings');
+    }
 }