Fix for timing attacks against OAuth.php

zhouweidong / oauth

Automatically exported from code.google.com/p/oauth

0 stars 0 forks source link

Fix for timing attacks against OAuth.php #178

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago

I've made a patch for OAuth.php that implements the recommended style of 
constant-time string comparison to fix the timing attack problem described 
here: 
http://thenextweb.com/socialmedia/2010/07/17/oauth-and-openid-authentication-vul
nerable-to-timing-attack/

I've done some testing and it seems to mitigate the problem, but someone with 
security expertise should review this. Use at your own risk.

Original issue reported on code.google.com by zcop...@gmail.com on 17 Jul 2010 at 9:40

Attachments:

timing_leak_fix.patch

GoogleCodeExporter commented 8 years ago

Original comment by morten.f...@gmail.com on 29 Mar 2011 at 4:29

Added labels: Lib-PHP, Type-Enhancement

GoogleCodeExporter commented 8 years ago

This issue was closed by revision r1258.

Original comment by morten.f...@gmail.com on 29 Mar 2011 at 5:16

Changed state: Fixed

GoogleCodeExporter commented 8 years ago

Sorry, misprinted the issue-number in the commit message. I will look at this 
later though.

Original comment by morten.f...@gmail.com on 29 Mar 2011 at 5:17

Changed state: New

GoogleCodeExporter commented 8 years ago

This issue was closed by revision r1259.

Original comment by morten.f...@gmail.com on 29 Mar 2011 at 5:34

Changed state: Fixed