hash_equals() parameters have a strict order, not followed in EmailVerificationRequest.php

[renatofrota]

• Laravel Version: master
• PHP Version: not applicable
• Database Driver & Version: not applicable

Description:

• hash_equals() signature is:

  hash_equals(string $known_string, string $user_string): bool
  

• it's documentation also states:

  Note:
  It is important to provide the user-supplied string as the second parameter, rather than the first.
  

• EmailVerificationRequest.php passes the user-supplied string (obtained from URL) as the first parameter.

Although the current implementation works, it's not strict following the parameters order ($known_string first, $user_string second) and directly contradicts an important documentation note.

Additional relevant information: the comment by Rouven Weßling (RFC and patch author) here, stating the decision to keep the parameter names and the instruction to strictly follow their order is a future-proof decision.

Steps To Reproduce:

not applicable

[driesvints]

If you want, you can attempt a PR to change this. Thanks

[renatofrota]

I was going to work on this as I am revisiting my GH issues, found it to be fixed (this is also a note for myself): #45227