Skip to content

fix: CO-3468 use constant-time comparison in TokenValidator#36

Open
MagnusPienknyJTL (jtlmagnus) wants to merge 1 commit into
developfrom
bugfix/CO-3468_constant_time_token_validation
Open

fix: CO-3468 use constant-time comparison in TokenValidator#36
MagnusPienknyJTL (jtlmagnus) wants to merge 1 commit into
developfrom
bugfix/CO-3468_constant_time_token_validation

Conversation

@jtlmagnus

Copy link
Copy Markdown

Replace the === comparison in TokenValidator::validate() with hash_equals() to prevent a timing attack that could allow token recovery via statistical timing analysis.

Also aligns composer.json dependency constraints (Symfony ^7.4, doctrine/collections ^2.6) with the supported PHP 8.3 baseline and regenerates composer.lock accordingly.

Replace the === comparison in TokenValidator::validate() with
hash_equals() to prevent a timing attack that could allow token
recovery via statistical timing analysis.

Also aligns composer.json dependency constraints (Symfony ^7.4,
doctrine/collections ^2.6) with the supported PHP 8.3 baseline and
regenerates composer.lock accordingly.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant