public function check_signature(&$request, $consumer, $token, $signature) {
$built = $this->build_signature($request, $consumer, $token);
return $built == $signature;
+
+ // Check for zero length, although unlikely here
+ if (strlen($built) == 0 || strlen($signature) == 0) {
+ return false;
+ }
+
+ if (strlen($built) != strlen($signature)) {
+ return false;
+ }
+
+ $result = 0;
+
+ // Avoid a timing leak with a (hopefully) time insensitive compare
+ for ($i = 0; $i < strlen($signature); $i++) {
+ $result |= ord($built{$i}) ^ ord($signature{$i});
+ }
+
+ return $result == 0;
}
}/*}}}*/
} else {
// collect request parameters from query string (GET) and post-data (POST) if appropriate (note: POST vars have priority)
$req_parameters = $_GET;
- if ($http_method == "POST" && @strstr($request_headers["Content-Type"], "application/x-www-form-urlencoded") ) {
+ if ($http_method == "POST" &&
+ ( @strstr($request_headers["Content-Type"], "application/x-www-form-urlencoded") || @strstr($_ENV["CONTENT_TYPE"], "application/x-www-form-urlencoded") )) {
$req_parameters = array_merge($req_parameters, $_POST);
}
public function get_normalized_http_url() {/*{{{*/
$parts = parse_url($this->http_url);
- $port = @$parts['port'];
+ $port = isset($parts['port']) ? $parts['port'] : null;
$scheme = $parts['scheme'];
$host = $parts['host'];
$path = @$parts['path'];