Skip to content

Commit

Permalink
ENGCOM-2656: [Backport] Use constant time string comparison in FormKe…
Browse files Browse the repository at this point in the history 
…y validator #17108
  • Loading branch information
Stanislav Idolov authored Aug 6, 2018
2 parents 5a07347 + cce5feb commit bd825eb
Showing 1 changed file with 4 additions and 4 deletions.
8 changes: 4 additions & 4 deletions lib/internal/Magento/Framework/Data/Form/FormKey/Validator.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@
*/
namespace Magento\Framework\Data\Form\FormKey;

use Magento\Framework\Encryption\Helper\Security;

class Validator
{
/**
Expand All @@ -29,9 +31,7 @@ public function __construct(\Magento\Framework\Data\Form\FormKey $formKey)
public function validate(\Magento\Framework\App\RequestInterface $request)
{
$formKey = $request->getParam('form_key', null);
if (!$formKey || $formKey !== $this->_formKey->getFormKey()) {
return false;
}
return true;

return $formKey && Security::compareStrings($formKey, $this->_formKey->getFormKey());
}
}

0 comments on commit bd825eb

Please sign in to comment.