update minimum required PHP version to 5.6 and replace slowEquals() with native hash_equals() function

2020-02-05 19:30:14 +01:00
parent 2870023e9c
commit 5d54006c9e
4 changed files with 3 additions and 37 deletions
--- a/lib/Controller.php
+++ b/lib/Controller.php
@@ -35,7 +35,7 @@ class Controller
     *
     * @const string
     */
-    const MIN_PHP_VERSION = '5.5.0';
+    const MIN_PHP_VERSION = '5.6.0';

    /**
     * show the same error message if the paste expired or does not exist
@@ -276,9 +276,7 @@ class Controller
                // accessing this method ensures that the paste would be
                // deleted if it has already expired
                $paste->get();
-                if (
-                    Filter::slowEquals($deletetoken, $paste->getDeleteToken())
-                ) {
+                if (hash_equals($paste->getDeleteToken(), $deletetoken)) {
                    // Paste exists and deletion token is valid: Delete the paste.
                    $paste->delete();
                    $this->_status = 'Paste was properly deleted.';
--- a/lib/Filter.php
+++ b/lib/Filter.php
@@ -68,23 +68,4 @@ class Filter
        }
        return number_format($size, ($i ? 2 : 0), '.', ' ') . ' ' . I18n::_($iec[$i]);
    }
-
-    /**
-     * fixed time string comparison operation to prevent timing attacks
-     * https://crackstation.net/hashing-security.htm?=rd#slowequals
-     *
-     * @access public
-     * @static
-     * @param  string $a
-     * @param  string $b
-     * @return bool
-     */
-    public static function slowEquals($a, $b)
-    {
-        $diff = strlen($a) ^ strlen($b);
-        for ($i = 0; $i < strlen($a) && $i < strlen($b); ++$i) {
-            $diff |= ord($a[$i]) ^ ord($b[$i]);
-        }
-        return $diff === 0;
-    }
 }