Skip to content

Commit

Permalink
Use constant time string comparison in FormKey validator
Browse files Browse the repository at this point in the history
  • Loading branch information
@p0pr0ck5 @gelanivishal
p0pr0ck5 authored and gelanivishal committed Jul 25, 2018
1 parent 92044eb commit 727503d
Showing 1 changed file with 9 additions and 2 deletions.
11 changes: 9 additions & 2 deletions lib/internal/Magento/Framework/Data/Form/FormKey/Validator.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,11 @@
*/
namespace Magento\Framework\Data\Form\FormKey;

use Magento\Framework\Encryption\Helper\Security;

/**
* @api
*/
class Validator
{
/**
Expand All @@ -29,9 +34,11 @@ public function __construct(\Magento\Framework\Data\Form\FormKey $formKey)
public function validate(\Magento\Framework\App\RequestInterface $request)
{
$formKey = $request->getParam('form_key', null);
if (!$formKey || $formKey !== $this->_formKey->getFormKey()) {

if (!$formKey) {
return false;
}
return true;

return Security::compareStrings($formKey, $this->_formKey->getFormKey());
}
}

0 comments on commit 727503d

Please sign in to comment.