Hi Rouven,
On Mon, Feb 24, 2014 at 3:31 AM, Rouven Weßling <me@rouvenwessling.de>wrote:
> I've updated the patch, taking the following feedback into account:
> -Renamed function to hash_equals
> -Error out early in case string lengths are not equal (I've maintained the
> name known_string and user_string too allow improving this in the future,
> also makes for a nicer error message)
> -Only allow strings to be compared
>
> The patch can be found here:
> https://github.com/realityking/php-src/compare/hash_equals
>
> If anyone thinks, that this needs a new RFC please say so.
>
I did some experiments. It seems it's good to implement timing safe
comparison in engine. i.e. We can make ==/=== secure by default like
Python. It would be much safer get rid of all timing from PHP.
We need new RFC to include the change in engine.
Regards,
--
Yasuo Ohgaki
yohgaki@ohgaki.net