Skip to content

Commit

Permalink
Check strings using hash_equals
Browse files Browse the repository at this point in the history 
time-constant string comparison to prevent timing attacks
  • Loading branch information
@maxrice
maxrice committed Jan 19, 2015
1 parent 512d77f commit 2d97498
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions includes/api/class-wc-api-authentication.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -190,7 +190,7 @@ private function get_user_by_consumer_key( $consumer_key ) {
*/
private function is_consumer_secret_valid( WP_User $user, $consumer_secret ) {

return $user->woocommerce_api_consumer_secret === $consumer_secret;
return hash_equals( $user->woocommerce_api_consumer_secret, $consumer_secret );
}

/**
Expand Down Expand Up @@ -246,7 +246,7 @@ private function check_oauth_signature( $user, $params ) {

$signature = base64_encode( hash_hmac( $hash_algorithm, $string_to_sign, $user->woocommerce_api_consumer_secret, true ) );

if ( $signature !== $consumer_signature ) {
if ( ! hash_equals( $signature, $consumer_signature ) ) {
throw new Exception( __( 'Invalid Signature - provided signature does not match', 'woocommerce' ), 401 );
}
}
Expand Down

0 comments on commit 2d97498

Please sign in to comment.