Skip to content
This repository has been archived by the owner on Nov 30, 2022. It is now read-only.

Commit

Permalink
Enforce time safe string comparison. (#831)
Browse files Browse the repository at this point in the history
  • Loading branch information
@lucasmichot
lucasmichot authored Jun 23, 2021
1 parent 2fde0a9 commit 1049337
Show file tree
Hide file tree
Showing 3 changed files with 3 additions and 3 deletions.
2 changes: 1 addition & 1 deletion src/ShopifyApp/Http/Middleware/AuthProxy.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@ public function handle(Request $request, Closure $next)
],
getShopifyConfig('api_secret', $shop)
);
if ($signature !== $signatureLocal || $shop->isNull()) {
if (hash_equals($signature, $signatureLocal) === false || $shop->isNull()) {
// Issue with HMAC or missing shop header
return Response::make('Invalid proxy signature.', 401);
}
Expand Down
2 changes: 1 addition & 1 deletion src/ShopifyApp/Http/Middleware/AuthToken.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -127,6 +127,6 @@ private function checkSignature($token)
$hmac = hash_hmac('sha256', $check, $secret, true);
$encoded = base64url_encode($hmac);

return $encoded === $signature;
return hash_equals($encoded, $signature);
}
}
2 changes: 1 addition & 1 deletion src/ShopifyApp/Http/Middleware/AuthWebhook.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ public function handle(Request $request, Closure $next)
getShopifyConfig('api_secret', $shop)
);

if (! hash_equals($hmac, $hmacLocal) || empty($shop)) {
if (hash_equals($hmac, $hmacLocal) === false || empty($shop)) {
// Issue with HMAC or missing shop header
return Response::make('Invalid webhook signature.', 401);
}
Expand Down

0 comments on commit 1049337

Please sign in to comment.