Browse Source

Use timing attack safe signature verification

pull/2/head
Micah Nordland 3 years ago
committed by GitHub
parent
commit
b4f19faca8
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 1 additions and 1 deletions
  1. +1
    -1
      src/p3k/WebSub/Client.php

+ 1
- 1
src/p3k/WebSub/Client.php View File

@ -218,7 +218,7 @@ class Client {
$alg = $match[1]; $alg = $match[1];
$sig = $match[2]; $sig = $match[2];
$expected_signature = hash_hmac($alg, $body, $secret); $expected_signature = hash_hmac($alg, $body, $secret);
return $sig == $expected_signature;
return hash_equals($sig, $expected_signature);
} else { } else {
return false; return false;
} }

Loading…
Cancel
Save