Prevent timing attack on HMAC #12152

PowerKiKi · PowerKiKi · commit 1018ff7f07c9 · 2025-12-30T20:51:04.000+09:00
diff --git a/src/Middleware/SignedQueryMiddleware.php b/src/Middleware/SignedQueryMiddleware.php
@@ -96,7 +96,7 @@ private function verifyHash(ServerRequestInterface $request, string $timestamp,
 
         foreach ($this->keys as $name => $value) {
             $computedHash = hash_hmac('sha256', $payload, $value);
-            if ($hash === $computedHash) {
+            if (hash_equals($hash, $computedHash)) {
                 return $request->withAttribute($this::class, $name);
             }
         }

Original file line number	Diff line number	Diff line change
`@@ -96,7 +96,7 @@ private function verifyHash(ServerRequestInterface $request, string $timestamp,`
`96`	`96`
`97`	`97`	`foreach ($this->keys as $name => $value) {`
`98`	`98`	`$computedHash = hash_hmac('sha256', $payload, $value);`
`99`		`- if ($hash === $computedHash) {`
	`99`	`+ if (hash_equals($hash, $computedHash)) {`
`100`	`100`	`return $request->withAttribute($this::class, $name);`
`101`	`101`	`}`
`102`	`102`	`}`