From 099ea852502284a32119f7c19cae3b996359026e Mon Sep 17 00:00:00 2001 From: Arnaud Lejosne Date: Sun, 6 Dec 2015 00:13:32 +0100 Subject: [PATCH] Remove deprecated StringUtils from WSSE custom auth provider --- components/security/secure_tools.rst | 20 ++----------------- .../custom_authentication_provider.rst | 11 +--------- 2 files changed, 3 insertions(+), 28 deletions(-) diff --git a/components/security/secure_tools.rst b/components/security/secure_tools.rst index f43a4f2c7ed..32860f6fa2d 100644 --- a/components/security/secure_tools.rst +++ b/components/security/secure_tools.rst @@ -1,26 +1,10 @@ -Securely Comparing Strings and Generating Random Numbers -======================================================== +Securely Generating Random Numbers +================================== The Symfony Security component comes with a collection of nice utilities related to security. These utilities are used by Symfony, but you should also use them if you want to solve the problem they address. -Comparing Strings -~~~~~~~~~~~~~~~~~ - -The time it takes to compare two strings depends on their differences. This -can be used by an attacker when the two strings represent a password for -instance; it is known as a `Timing attack`_. - -Internally, when comparing two passwords, Symfony uses a constant-time -algorithm; you can use the same strategy in your own code thanks to the -:class:`Symfony\\Component\\Security\\Core\\Util\\StringUtils` class:: - - use Symfony\Component\Security\Core\Util\StringUtils; - - // is some known string (e.g. password) equal to some user input? - $bool = StringUtils::equals($knownString, $userInput); - Generating a Secure random Number ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/cookbook/security/custom_authentication_provider.rst b/cookbook/security/custom_authentication_provider.rst index f44ea0b8cf8..06e48345110 100644 --- a/cookbook/security/custom_authentication_provider.rst +++ b/cookbook/security/custom_authentication_provider.rst @@ -214,7 +214,6 @@ the ``PasswordDigest`` header value matches with the user's password. use Symfony\Component\Security\Core\Exception\NonceExpiredException; use Symfony\Component\Security\Core\Authentication\Token\TokenInterface; use AppBundle\Security\Authentication\Token\WsseUserToken; - use Symfony\Component\Security\Core\Util\StringUtils; class WsseProvider implements AuthenticationProviderInterface { @@ -273,7 +272,7 @@ the ``PasswordDigest`` header value matches with the user's password. // Validate Secret $expected = base64_encode(sha1(base64_decode($nonce).$created.$secret, true)); - return StringUtils::equals($expected, $digest); + return hash_equals($expected, $digest); } public function supports(TokenInterface $token) @@ -290,14 +289,6 @@ the ``PasswordDigest`` header value matches with the user's password. provider for the given token. In the case of multiple providers, the authentication manager will then move to the next provider in the list. -.. note:: - - The comparison of the expected and the provided digests uses a constant - time comparison provided by the - :method:`Symfony\\Component\\Security\\Core\\Util\\StringUtils::equals` - method of the ``StringUtils`` class. It is used to mitigate possible - `timing attacks`_. - The Factory -----------