Closed Nightfirecat closed 7 years ago
Given that the only 'sensitive' comparison is done in the deploy script, and it's already using hash_equals()
, I'm inclined to say that the performance hit won't be worth it here. In general, most of the application doesn't have any security implications, so there's no real need for this.
It's timing-safe, and generally a better alternative to
==
/===
orstrcmp()
as a result.Places where this needs to change:
else if
branches)else if
branches)