From 48e30d8696fcaed20ddaec7c98d44805a609b51c Mon Sep 17 00:00:00 2001 From: Wesley Elfring Date: Wed, 17 Aug 2016 11:56:19 +0200 Subject: [PATCH] Use timing attack safe string comparision - Added polyfill for hash_equals - Changed isValid to use the new safe hash_equals function --- composer.json | 55 ++++--- composer.lock | 143 ++++++++++++------ .../Buckaroo/Response/PostResponse.php | 9 +- 3 files changed, 133 insertions(+), 74 deletions(-) diff --git a/composer.json b/composer.json index eb0f5bd..5d232cc 100644 --- a/composer.json +++ b/composer.json @@ -1,26 +1,33 @@ { - "name": "linkorb/buckaroo", - "description": "Buckaroo BPE3 API client for PHP. PSR-0 Compliant.", - "homepage": "http://www.github.com/linkorb/buckaroo", - "keywords": ["php", "api", "buckaroo", "psp", "payment"], - "type": "library", - "authors": [ - { - "name": "Joost Faassen", - "email": "j.faassen@linkorb.com", - "role": "Development" - } - ], - "require": { - "php": ">=5.3.0" - }, - "require-dev": { - "phpunit/phpunit": "3.7.*" - }, - "autoload": { - "psr-0": { - "LinkORB\\Buckaroo\\": "src/" - } - }, - "license": "MIT" + "name": "linkorb/buckaroo", + "description": "Buckaroo BPE3 API client for PHP. PSR-0 Compliant.", + "homepage": "http://www.github.com/linkorb/buckaroo", + "keywords": [ + "php", + "api", + "buckaroo", + "psp", + "payment" + ], + "type": "library", + "authors": [ + { + "name": "Joost Faassen", + "email": "j.faassen@linkorb.com", + "role": "Development" + } + ], + "require": { + "php": ">=5.3.0", + "sarciszewski/php-future": "^0.4.2" + }, + "require-dev": { + "phpunit/phpunit": "3.7.*" + }, + "autoload": { + "psr-0": { + "LinkORB\\Buckaroo\\": "src/" + } + }, + "license": "MIT" } diff --git a/composer.lock b/composer.lock index e7fdbe5..62bf715 100644 --- a/composer.lock +++ b/composer.lock @@ -1,7 +1,56 @@ { - "hash": "099fbabb3af84035d3a461b76abc0aae", + "_readme": [ + "This file locks the dependencies of your project to a known state", + "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file", + "This file is @generated automatically" + ], + "hash": "bacb62609fb5bd776375d72bf3bd68a4", + "content-hash": "90f886d8285bbf4edb829f13418458c2", "packages": [ - + { + "name": "sarciszewski/php-future", + "version": "0.4.2", + "source": { + "type": "git", + "url": "https://github.com/sarciszewski/php-future.git", + "reference": "8bcc414eecfe68bb4600ab9b179ef6e8454b8ca0" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/sarciszewski/php-future/zipball/8bcc414eecfe68bb4600ab9b179ef6e8454b8ca0", + "reference": "8bcc414eecfe68bb4600ab9b179ef6e8454b8ca0", + "shasum": "" + }, + "require-dev": { + "phpunit/phpunit": "4.5.*" + }, + "type": "library", + "autoload": { + "files": [ + "autoload.php" + ] + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Scott Arciszewski", + "email": "scott@paragonie.com", + "homepage": "https://appsec.solutions", + "role": "Developer" + } + ], + "description": "Polyfill new (5.6+) features into old (5.4+) versions of PHP", + "keywords": [ + "compatibility", + "future", + "hash_equals", + "security" + ], + "time": "2015-09-28 20:04:00" + } ], "packages-dev": [ { @@ -10,12 +59,12 @@ "source": { "type": "git", "url": "https://github.com/sebastianbergmann/php-code-coverage.git", - "reference": "1.2.9" + "reference": "3888fcba646930da78c8ff4dd3555f4da4caa0e2" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/sebastianbergmann/php-code-coverage/zipball/1.2.9", - "reference": "1.2.9", + "url": "https://api.github.com/repos/sebastianbergmann/php-code-coverage/zipball/3888fcba646930da78c8ff4dd3555f4da4caa0e2", + "reference": "3888fcba646930da78c8ff4dd3555f4da4caa0e2", "shasum": "" }, "require": { @@ -62,13 +111,13 @@ "version": "1.3.3", "source": { "type": "git", - "url": "git://github.com/sebastianbergmann/php-file-iterator.git", - "reference": "1.3.3" + "url": "https://github.com/sebastianbergmann/php-file-iterator.git", + "reference": "16a78140ed2fc01b945cfa539665fadc6a038029" }, "dist": { "type": "zip", - "url": "https://github.com/sebastianbergmann/php-file-iterator/zipball/1.3.3", - "reference": "1.3.3", + "url": "https://api.github.com/repos/sebastianbergmann/php-file-iterator/zipball/16a78140ed2fc01b945cfa539665fadc6a038029", + "reference": "16a78140ed2fc01b945cfa539665fadc6a038029", "shasum": "" }, "require": { @@ -100,20 +149,20 @@ "filesystem", "iterator" ], - "time": "2012-10-11 04:44:38" + "time": "2012-10-11 11:44:38" }, { "name": "phpunit/php-text-template", "version": "1.1.4", "source": { "type": "git", - "url": "git://github.com/sebastianbergmann/php-text-template.git", - "reference": "1.1.4" + "url": "https://github.com/sebastianbergmann/php-text-template.git", + "reference": "5180896f51c5b3648ac946b05f9ec02be78a0b23" }, "dist": { "type": "zip", - "url": "https://github.com/sebastianbergmann/php-text-template/zipball/1.1.4", - "reference": "1.1.4", + "url": "https://api.github.com/repos/sebastianbergmann/php-text-template/zipball/5180896f51c5b3648ac946b05f9ec02be78a0b23", + "reference": "5180896f51c5b3648ac946b05f9ec02be78a0b23", "shasum": "" }, "require": { @@ -144,20 +193,20 @@ "keywords": [ "template" ], - "time": "2012-10-31 11:15:28" + "time": "2012-10-31 18:15:28" }, { "name": "phpunit/php-timer", "version": "1.0.4", "source": { "type": "git", - "url": "git://github.com/sebastianbergmann/php-timer.git", - "reference": "1.0.4" + "url": "https://github.com/sebastianbergmann/php-timer.git", + "reference": "19fa03d75db7eb732db5256fe7f08a66116ace90" }, "dist": { "type": "zip", - "url": "https://github.com/sebastianbergmann/php-timer/zipball/1.0.4", - "reference": "1.0.4", + "url": "https://api.github.com/repos/sebastianbergmann/php-timer/zipball/19fa03d75db7eb732db5256fe7f08a66116ace90", + "reference": "19fa03d75db7eb732db5256fe7f08a66116ace90", "shasum": "" }, "require": { @@ -188,20 +237,20 @@ "keywords": [ "timer" ], - "time": "2012-10-11 04:45:58" + "time": "2012-10-11 11:45:58" }, { "name": "phpunit/php-token-stream", "version": "1.1.5", "source": { "type": "git", - "url": "git://github.com/sebastianbergmann/php-token-stream.git", - "reference": "1.1.5" + "url": "https://github.com/sebastianbergmann/php-token-stream.git", + "reference": "ffb5e70adbc7cb1d4091ac0f8335b6fcff52cd75" }, "dist": { "type": "zip", - "url": "https://github.com/sebastianbergmann/php-token-stream/zipball/1.1.5", - "reference": "1.1.5", + "url": "https://api.github.com/repos/sebastianbergmann/php-token-stream/zipball/ffb5e70adbc7cb1d4091ac0f8335b6fcff52cd75", + "reference": "ffb5e70adbc7cb1d4091ac0f8335b6fcff52cd75", "shasum": "" }, "require": { @@ -233,7 +282,7 @@ "keywords": [ "tokenizer" ], - "time": "2012-10-11 04:47:14" + "time": "2012-10-11 11:47:14" }, { "name": "phpunit/phpunit", @@ -241,12 +290,12 @@ "source": { "type": "git", "url": "https://github.com/sebastianbergmann/phpunit.git", - "reference": "3.7.18" + "reference": "82335c294ae39a59965b0dc2027ac74eb62f53f1" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/sebastianbergmann/phpunit/zipball/3.7.18", - "reference": "3.7.18", + "url": "https://api.github.com/repos/sebastianbergmann/phpunit/zipball/82335c294ae39a59965b0dc2027ac74eb62f53f1", + "reference": "82335c294ae39a59965b0dc2027ac74eb62f53f1", "shasum": "" }, "require": { @@ -314,13 +363,13 @@ "version": "1.2.3", "source": { "type": "git", - "url": "git://github.com/sebastianbergmann/phpunit-mock-objects.git", - "reference": "1.2.3" + "url": "https://github.com/sebastianbergmann/phpunit-mock-objects.git", + "reference": "5794e3c5c5ba0fb037b11d8151add2a07fa82875" }, "dist": { "type": "zip", - "url": "https://github.com/sebastianbergmann/phpunit-mock-objects/archive/1.2.3.zip", - "reference": "1.2.3", + "url": "https://api.github.com/repos/sebastianbergmann/phpunit-mock-objects/zipball/5794e3c5c5ba0fb037b11d8151add2a07fa82875", + "reference": "5794e3c5c5ba0fb037b11d8151add2a07fa82875", "shasum": "" }, "require": { @@ -364,13 +413,13 @@ "target-dir": "Symfony/Component/Yaml", "source": { "type": "git", - "url": "https://github.com/symfony/Yaml.git", - "reference": "v2.2.0-RC3" + "url": "https://github.com/symfony/yaml.git", + "reference": "b293027f4030998a752a1ac06e80ae9e6bf6a763" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/symfony/Yaml/zipball/v2.2.0-RC3", - "reference": "v2.2.0-RC3", + "url": "https://api.github.com/repos/symfony/yaml/zipball/b293027f4030998a752a1ac06e80ae9e6bf6a763", + "reference": "b293027f4030998a752a1ac06e80ae9e6bf6a763", "shasum": "" }, "require": { @@ -392,13 +441,13 @@ "MIT" ], "authors": [ - { - "name": "Fabien Potencier", - "email": "fabien@symfony.com" - }, { "name": "Symfony Community", "homepage": "http://symfony.com/contributors" + }, + { + "name": "Fabien Potencier", + "email": "fabien@symfony.com" } ], "description": "Symfony Yaml Component", @@ -406,17 +455,13 @@ "time": "2013-01-27 16:49:19" } ], - "aliases": [ - - ], + "aliases": [], "minimum-stability": "stable", - "stability-flags": [ - - ], + "stability-flags": [], + "prefer-stable": false, + "prefer-lowest": false, "platform": { "php": ">=5.3.0" }, - "platform-dev": [ - - ] + "platform-dev": [] } diff --git a/src/LinkORB/Buckaroo/Response/PostResponse.php b/src/LinkORB/Buckaroo/Response/PostResponse.php index d7bb699..2f006d3 100644 --- a/src/LinkORB/Buckaroo/Response/PostResponse.php +++ b/src/LinkORB/Buckaroo/Response/PostResponse.php @@ -4,6 +4,7 @@ use LinkORB\Buckaroo\Response; use LinkORB\Buckaroo\SignatureComposer\SignatureComposer; +use Sarciszewski\PHPFuture\Security; /** * PostResponse can be used to verify and read post and push responses from Buckaroo. @@ -60,7 +61,13 @@ public function __construct(array $parameters) */ public function isValid(SignatureComposer $composer) { - return $this->signature === $composer->compose($this->parameters); + // Constant Time String Comparison @see http://php.net/hash_equals + if (!function_exists('hash_equals')) { + // Polyfill for PHP < 5.6 + return Security::hashEquals($composer->compose($this->parameters), $this->signature); + } else { + return hash_equals($composer->compose($this->parameters), $this->signature); + } } /**