From b4f19faca8271277cdd37df0bb40f8d18c1e1a36 Mon Sep 17 00:00:00 2001 From: Micah Nordland Date: Sun, 7 Mar 2021 09:50:43 -0500 Subject: [PATCH] Use timing attack safe signature verification --- src/p3k/WebSub/Client.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/p3k/WebSub/Client.php b/src/p3k/WebSub/Client.php index c42868f..cabac08 100644 --- a/src/p3k/WebSub/Client.php +++ b/src/p3k/WebSub/Client.php @@ -218,7 +218,7 @@ class Client { $alg = $match[1]; $sig = $match[2]; $expected_signature = hash_hmac($alg, $body, $secret); - return $sig == $expected_signature; + return hash_equals($sig, $expected_signature); } else { return false; }