diff options
| author | Lukas Reschke <lukas@owncloud.com> | 2014-09-03 11:03:27 +0200 |
|---|---|---|
| committer | Lukas Reschke <lukas@owncloud.com> | 2014-09-03 11:03:27 +0200 |
| commit | 50b430ee7cadd6be1520d63acdac27bc06581e09 (patch) | |
| tree | c5ab65b1ac3e845bac58a452465f414584940758 /lib/private/security/stringutils.php | |
| parent | 3329e0f2b22207a24ddb4953bbf11964b23682d9 (diff) | |
| download | nextcloud-server-50b430ee7cadd6be1520d63acdac27bc06581e09.tar.gz nextcloud-server-50b430ee7cadd6be1520d63acdac27bc06581e09.zip | |
Add char consts, hash the specified password for the HMAC
Diffstat (limited to 'lib/private/security/stringutils.php')
| -rw-r--r-- | lib/private/security/stringutils.php | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/lib/private/security/stringutils.php b/lib/private/security/stringutils.php index 32dff50fa8b..33a3a708012 100644 --- a/lib/private/security/stringutils.php +++ b/lib/private/security/stringutils.php @@ -15,6 +15,10 @@ class StringUtils { * length this is done by comparing two hashes against each other and afterwards * a comparison of the real string to prevent against the unlikely chance of * collisions. + * + * Be aware that this function may leak whether the string to compare have a different + * length. + * * @param string $expected The expected value * @param string $input The input to compare against * @return bool True if the two strings are equal, otherwise false. @@ -25,7 +29,7 @@ class StringUtils { return hash_equals($expected, $input); } - $randomString = \OC::$server->getSecureRandom()->getMediumStrengthGenerator()->generate(10); + $randomString = \OC::$server->getSecureRandom()->getLowStrengthGenerator()->generate(10); if(hash('sha512', $expected.$randomString) === hash('sha512', $input.$randomString)) { if($expected === $input) { |