ENGCOM-2656: [Backport] Use constant time string comparison in FormKey validator #17108

Stanislav Idolov · web-flow · commit bd825eb7df29 · 2018-08-06T10:24:10.000+03:00
diff --git a/lib/internal/Magento/Framework/Data/Form/FormKey/Validator.php b/lib/internal/Magento/Framework/Data/Form/FormKey/Validator.php
@@ -5,6 +5,8 @@
  */
 namespace Magento\Framework\Data\Form\FormKey;
 
+use Magento\Framework\Encryption\Helper\Security;
+
 class Validator
 {
     /**
@@ -29,9 +31,7 @@ public function __construct(\Magento\Framework\Data\Form\FormKey $formKey)
     public function validate(\Magento\Framework\App\RequestInterface $request)
     {
         $formKey = $request->getParam('form_key', null);
-        if (!$formKey || $formKey !== $this->_formKey->getFormKey()) {
-            return false;
-        }
-        return true;
+        
+        return $formKey && Security::compareStrings($formKey, $this->_formKey->getFormKey());
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -5,6 +5,8 @@`
`5`	`5`	`*/`
`6`	`6`	`namespace Magento\Framework\Data\Form\FormKey;`
`7`	`7`
	`8`	`+use Magento\Framework\Encryption\Helper\Security;`
	`9`	`+`
`8`	`10`	`class Validator`
`9`	`11`	`{`
`10`	`12`	`/**`
`@@ -29,9 +31,7 @@ public function __construct(\Magento\Framework\Data\Form\FormKey $formKey)`
`29`	`31`	`public function validate(\Magento\Framework\App\RequestInterface $request)`
`30`	`32`	`{`
`31`	`33`	`$formKey = $request->getParam('form_key', null);`
`32`		`- if (!$formKey \|\| $formKey !== $this->_formKey->getFormKey()) {`
`33`		`- return false;`
`34`		`- }`
`35`		`- return true;`
	`34`	`+`
	`35`	`+ return $formKey && Security::compareStrings($formKey, $this->_formKey->getFormKey());`
`36`	`36`	`}`
`37`	`37`	`}`