Merge branch '2.5'

* 2.5: (23 commits)
  [HttpKernel] fixed some unit tests for 2.4 (signature now uses SHA256 instead of MD5)
  [HttpKernel] simplified code
  [HttpKernel] fixed internal fragment handling
  fixing yaml indentation
  Unexpexted ));"
  [WebProfiler] replaced the import/export feature from the web interface to a CLI tool
  Forced all fragment uris to be signed, even for ESI
  Add tests and more assertions
  [FrameworkBundle][Translator] Validate locales.
  [HttpFoundation] added some missing tests
  [HttpFoundation] Improve string values in test codes
  [Security] Add more tests for StringUtils::equals
  fix comment: not fourth but sixth argument
  fixing typo in a comment
  [FrameworkBundle] fixed CS
  [FrameworkBundle] PhpExtractor bugfix and improvements
  [Finder] Fix findertest readability
  [Filesystem] Add FTP stream wrapper context option to enable overwrite (override)
  fix parsing of Authorization header
  Test examples from Drupal SA-CORE-2014-003
  ...

Conflicts:
	src/Symfony/Bundle/WebProfilerBundle/Resources/views/Profiler/admin.html.twig
	src/Symfony/Component/Filesystem/Filesystem.php
	src/Symfony/Component/HttpKernel/Fragment/EsiFragmentRenderer.php

Author: fabpot

Core/Tests/Util/StringUtilsTest.php

@@ -13,11 +13,49 @@
 
 use Symfony\Component\Security\Core\Util\StringUtils;
 
+/**
+ * Data from PHP.net's hash_equals tests
+ */
 class StringUtilsTest extends \PHPUnit_Framework_TestCase
 {
-    public function testEquals()
+    public function dataProviderTrue()
+    {
+        return array(
+            array('same', 'same'),
+            array('', ''),
+            array(123, 123),
+            array(null, ''),
+            array(null, null),
+        );
+    }
+
+    public function dataProviderFalse()
+    {
+        return array(
+            array('not1same', 'not2same'),
+            array('short', 'longer'),
+            array('longer', 'short'),
+            array('', 'notempty'),
+            array('notempty', ''),
+            array(123, 'NaN'),
+            array('NaN', 123),
+            array(null, 123),
+        );
+    }
+
+    /**
+     * @dataProvider dataProviderTrue
+     */
+    public function testEqualsTrue($known, $user)
+    {
+        $this->assertTrue(StringUtils::equals($known, $user));
+    }
+
+    /**
+     * @dataProvider dataProviderFalse
+     */
+    public function testEqualsFalse($known, $user)
     {
-        $this->assertTrue(StringUtils::equals('password', 'password'));
-        $this->assertFalse(StringUtils::equals('password', 'foo'));
+        $this->assertFalse(StringUtils::equals($known, $user));
     }
 }

Core/Util/StringUtils.php

@@ -35,23 +35,19 @@ private function __construct() {}
      */
     public static function equals($knownString, $userInput)
     {
-        // Prevent issues if string length is 0
-        $knownString .= chr(0);
-        $userInput .= chr(0);
-
         $knownLen = strlen($knownString);
         $userLen = strlen($userInput);
 
+        // Extend the known string to avoid uninitialized string offsets
+        $knownString .= $userInput;
+
         // Set the result to the difference between the lengths
         $result = $knownLen - $userLen;
 
         // Note that we ALWAYS iterate over the user-supplied length
         // This is to prevent leaking length information
         for ($i = 0; $i < $userLen; $i++) {
-            // Using % here is a trick to prevent notices
-            // It's safe, since if the lengths are different
-            // $result is already non-0
-            $result |= (ord($knownString[$i % $knownLen]) ^ ord($userInput[$i]));
+            $result |= (ord($knownString[$i]) ^ ord($userInput[$i]));
         }
 
         // They are only identical strings if $result is exactly 0...