Chad has submitted this change and it was merged.
Change subject: Minor code cleanup
......................................................................
Minor code cleanup
* Use php 5.6's hash_equals in compareHash
* Remove bsd licensed code I accidentally included in the first patch
Change-Id: Ia66e6ee34e8387dcd4bbc5524fa95b6e8e69bb35
---
M src/auth/PhutilAuthAdapterOAuthMediaWiki.php
1 file changed, 16 insertions(+), 14 deletions(-)
Approvals:
20after4: Verified; Looks good to me, approved
diff --git a/src/auth/PhutilAuthAdapterOAuthMediaWiki.php
b/src/auth/PhutilAuthAdapterOAuthMediaWiki.php
index cc9e821..95ccfee 100644
--- a/src/auth/PhutilAuthAdapterOAuthMediaWiki.php
+++ b/src/auth/PhutilAuthAdapterOAuthMediaWiki.php
@@ -137,9 +137,9 @@
private function decodeJWT($jwt) {
list($headb64, $bodyb64, $sigb64) = explode('.', $jwt);
- $header = json_decode($this->urlsafeB64Decode($headb64));
- $payload = json_decode($this->urlsafeB64Decode($bodyb64));
- $sig = $this->urlsafeB64Decode($sigb64);
+ $header = json_decode($this->jwtdecode($headb64));
+ $payload = json_decode($this->jwtdecode($bodyb64));
+ $sig = $this->jwtdecode($sigb64);
$expect_sig = hash_hmac(
'sha256',
@@ -154,21 +154,23 @@
return $payload;
}
- private function urlsafeB64Decode($input) {
- $remainder = strlen($input) % 4;
- if ($remainder) {
- $padlen = 4 - $remainder;
- $input .= str_repeat('=', $padlen);
- }
- return base64_decode(strtr($input, '-_', '+/'));
+ private function jwtdecode($input) {
+ return base64_decode(strtr($input, array('-'=>'+', '_'=>'/')));
}
private function compareHash($hash1, $hash2) {
- $result = strlen($hash1) ^ strlen($hash2);
- $len = min(strlen($hash1), strlen($hash2));
- for ($i = 0; $i < $len; $i++) {
+ $result = false;
+ if (function_exists('hash_equals')) {
+ // Use PHP 5.6's hash_equals if available
+ $result = hash_equals($hash1, $hash2);
+ } else {
+ $result = strlen($hash1) ^ strlen($hash2);
+ $len = min(strlen($hash1), strlen($hash2));
+ for ($i = 0; $i < $len; $i++) {
$result |= ord($hash1{$i}) ^ ord($hash2{$i});
+ }
+ $result = ($result == 0);
}
- return $result == 0;
+ return $result;
}
}
--
To view, visit https://gerrit.wikimedia.org/r/147670
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: Ia66e6ee34e8387dcd4bbc5524fa95b6e8e69bb35
Gerrit-PatchSet: 1
Gerrit-Project: phabricator/libphutil
Gerrit-Branch: master
Gerrit-Owner: CSteipp <[email protected]>
Gerrit-Reviewer: 20after4 <[email protected]>
Gerrit-Reviewer: Chad <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
