diff options
Diffstat (limited to 'lib/private/security/stringutils.php')
| -rw-r--r-- | lib/private/security/stringutils.php | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/lib/private/security/stringutils.php b/lib/private/security/stringutils.php index 32dff50fa8b..33a3a708012 100644 --- a/lib/private/security/stringutils.php +++ b/lib/private/security/stringutils.php @@ -15,6 +15,10 @@ class StringUtils { * length this is done by comparing two hashes against each other and afterwards * a comparison of the real string to prevent against the unlikely chance of * collisions. + * + * Be aware that this function may leak whether the string to compare have a different + * length. + * * @param string $expected The expected value * @param string $input The input to compare against * @return bool True if the two strings are equal, otherwise false. @@ -25,7 +29,7 @@ class StringUtils { return hash_equals($expected, $input); } - $randomString = \OC::$server->getSecureRandom()->getMediumStrengthGenerator()->generate(10); + $randomString = \OC::$server->getSecureRandom()->getLowStrengthGenerator()->generate(10); if(hash('sha512', $expected.$randomString) === hash('sha512', $input.$randomString)) { if($expected === $input) { |