bugfix: SimpleSAML\Utils\Crypto returns true for different strings using PHP < 5.6.

The reason was the lack of conversion to integer for each character of the strings before applying the XOR operator to them. The operator returns always an empty string when applied to two characters, and applying a binary-wise OR between 0 and an empty string, yields 0. Therefore, $diff is always 0, and the function returns true for every two strings with same length, regardless of their contents.

bugfix: SimpleSAML\Utils\Crypto returns true for different strings using PHP < 5.6.
The reason was the lack of conversion to integer for each character of the strings before applying the XOR operator to them. The operator returns always an empty string when applied to two characters, and applying a binary-wise OR between 0 and an empty string, yields 0. Therefore, $diff is always 0, and the function returns true for every two strings with same length, regardless of their contents.
4bc62965 · Jaime Pérez Crespo · f931e2eb · 4bc62965
Commit 4bc62965 authored 7 years ago by Jaime Pérez Crespo
--- a/lib/SimpleSAML/Utils/Crypto.php
+++ b/lib/SimpleSAML/Utils/Crypto.php
@@ -404,8 +404,8 @@ class Crypto
            return false; // length differs
        }
        $diff = 0;
-        for ($i = 0; $i < $len; ++$i) {
-            $diff |= $known[$i] ^ $user[$i];
+        for ($i = 0; $i < $len; $i++) {
+            $diff |= ord($known[$i]) ^ ord($user[$i]);
        }
        // if all the bytes in $a and $b are identical, $diff should be equal to 0
        return $diff === 0;