Add compatibility for PHP 5.6's hash_equals function
#61
Conversation
- Updated `verify_password` to use new function - Tests to cover warnings and use cases.
|
There are a lot of suggestions popping up around the web to patch this compatibility. Many of them are not timing safe (they return too soon if the strings are of different length). As your password_compat repo has been the authority for the 5.5 updates I wanted to add a correct implementation to it for the new 5.6 function. |
- This check was accidentally removed from master.
| @@ -222,16 +222,65 @@ function password_verify($password, $hash) { | |||
| return false; | |||
| } | |||
| $ret = crypt($password, $hash); | |||
| if (!is_string($ret) || PasswordCompat\binary\_strlen($ret) != PasswordCompat\binary\_strlen($hash) || PasswordCompat\binary\_strlen($ret) <= 13) { | |||
| if (!is_string($hash) || !is_string($ret)) { | |||
There was a problem hiding this comment.
I notice PasswordCompat\binary\_strlen($ret) <= 13 omitted in your revision.
There was a problem hiding this comment.
I'm not sure the purpose of the <= 13 check. I checked the php source code and the comparison is there as well so I pushed a change to add that in.
- Matches `ext/standard/password.c` from the php source. - Comparing the ASCII value of characters.
|
Closing as -1. This library only supports 5.3.7 - 5.4.latest. It does not support 5.5+, and most definitely not 5.6, as it will disable itself. So the only reason to add support for |
verify_passwordto use new function