Use constant time string comparison in FormKey validator

p0pr0ck5 · gelanivishal · commit 727503d8c256 · 2018-07-25T10:34:11.000+05:30
diff --git a/lib/internal/Magento/Framework/Data/Form/FormKey/Validator.php b/lib/internal/Magento/Framework/Data/Form/FormKey/Validator.php
@@ -5,6 +5,11 @@
  */
 namespace Magento\Framework\Data\Form\FormKey;
 
+use Magento\Framework\Encryption\Helper\Security;
+
+/**
+ * @api
+ */
 class Validator
 {
     /**
@@ -29,9 +34,11 @@ public function __construct(\Magento\Framework\Data\Form\FormKey $formKey)
     public function validate(\Magento\Framework\App\RequestInterface $request)
     {
         $formKey = $request->getParam('form_key', null);
-        if (!$formKey || $formKey !== $this->_formKey->getFormKey()) {
+
+        if (!$formKey) {
             return false;
         }
-        return true;
+
+        return Security::compareStrings($formKey, $this->_formKey->getFormKey());
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -5,6 +5,11 @@`
`5`	`5`	`*/`
`6`	`6`	`namespace Magento\Framework\Data\Form\FormKey;`
`7`	`7`
	`8`	`+use Magento\Framework\Encryption\Helper\Security;`
	`9`	`+`
	`10`	`+/**`
	`11`	`+ * @api`
	`12`	`+ */`
`8`	`13`	`class Validator`
`9`	`14`	`{`
`10`	`15`	`/**`
`@@ -29,9 +34,11 @@ public function __construct(\Magento\Framework\Data\Form\FormKey $formKey)`
`29`	`34`	`public function validate(\Magento\Framework\App\RequestInterface $request)`
`30`	`35`	`{`
`31`	`36`	`$formKey = $request->getParam('form_key', null);`
`32`		`- if (!$formKey \|\| $formKey !== $this->_formKey->getFormKey()) {`
	`37`	`+`
	`38`	`+ if (!$formKey) {`
`33`	`39`	`return false;`
`34`	`40`	`}`
`35`		`- return true;`
	`41`	`+`
	`42`	`+ return Security::compareStrings($formKey, $this->_formKey->getFormKey());`
`36`	`43`	`}`
`37`	`44`	`}`