Chad has submitted this change and it was merged. Change subject: Minor code cleanup ......................................................................
Minor code cleanup * Use php 5.6's hash_equals in compareHash * Remove bsd licensed code I accidentally included in the first patch Change-Id: Ia66e6ee34e8387dcd4bbc5524fa95b6e8e69bb35 --- M src/auth/PhutilAuthAdapterOAuthMediaWiki.php 1 file changed, 16 insertions(+), 14 deletions(-) Approvals: 20after4: Verified; Looks good to me, approved diff --git a/src/auth/PhutilAuthAdapterOAuthMediaWiki.php b/src/auth/PhutilAuthAdapterOAuthMediaWiki.php index cc9e821..95ccfee 100644 --- a/src/auth/PhutilAuthAdapterOAuthMediaWiki.php +++ b/src/auth/PhutilAuthAdapterOAuthMediaWiki.php @@ -137,9 +137,9 @@ private function decodeJWT($jwt) { list($headb64, $bodyb64, $sigb64) = explode('.', $jwt); - $header = json_decode($this->urlsafeB64Decode($headb64)); - $payload = json_decode($this->urlsafeB64Decode($bodyb64)); - $sig = $this->urlsafeB64Decode($sigb64); + $header = json_decode($this->jwtdecode($headb64)); + $payload = json_decode($this->jwtdecode($bodyb64)); + $sig = $this->jwtdecode($sigb64); $expect_sig = hash_hmac( 'sha256', @@ -154,21 +154,23 @@ return $payload; } - private function urlsafeB64Decode($input) { - $remainder = strlen($input) % 4; - if ($remainder) { - $padlen = 4 - $remainder; - $input .= str_repeat('=', $padlen); - } - return base64_decode(strtr($input, '-_', '+/')); + private function jwtdecode($input) { + return base64_decode(strtr($input, array('-'=>'+', '_'=>'/'))); } private function compareHash($hash1, $hash2) { - $result = strlen($hash1) ^ strlen($hash2); - $len = min(strlen($hash1), strlen($hash2)); - for ($i = 0; $i < $len; $i++) { + $result = false; + if (function_exists('hash_equals')) { + // Use PHP 5.6's hash_equals if available + $result = hash_equals($hash1, $hash2); + } else { + $result = strlen($hash1) ^ strlen($hash2); + $len = min(strlen($hash1), strlen($hash2)); + for ($i = 0; $i < $len; $i++) { $result |= ord($hash1{$i}) ^ ord($hash2{$i}); + } + $result = ($result == 0); } - return $result == 0; + return $result; } } -- To view, visit https://gerrit.wikimedia.org/r/147670 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: Ia66e6ee34e8387dcd4bbc5524fa95b6e8e69bb35 Gerrit-PatchSet: 1 Gerrit-Project: phabricator/libphutil Gerrit-Branch: master Gerrit-Owner: CSteipp <cste...@wikimedia.org> Gerrit-Reviewer: 20after4 <mmod...@wikimedia.org> Gerrit-Reviewer: Chad <ch...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits