[ Index ] |
PHP Cross Reference of Joomla 4.2.2 documentation |
[Summary view] [Print] [Text view]
1 <?php 2 3 /** 4 * Joomla! Content Management System 5 * 6 * @copyright (C) 2012 Open Source Matters, Inc. <https://www.joomla.org> 7 * @license GNU General Public License version 2 or later; see LICENSE.txt 8 */ 9 10 namespace Joomla\CMS\Crypt; 11 12 use Joomla\Crypt\Crypt as JCrypt; 13 14 // phpcs:disable PSR1.Files.SideEffects 15 \defined('JPATH_PLATFORM') or die; 16 // phpcs:enable PSR1.Files.SideEffects 17 18 /** 19 * Crypt is a Joomla Platform class for handling basic encryption/decryption of data. 20 * 21 * @since 3.0.0 22 */ 23 class Crypt extends JCrypt 24 { 25 /** 26 * A timing safe comparison method. 27 * 28 * This defeats hacking attempts that use timing based attack vectors. 29 * 30 * NOTE: Length will leak. 31 * 32 * @param string $known A known string to check against. 33 * @param string $unknown An unknown string to check. 34 * 35 * @return boolean True if the two strings are exactly the same. 36 * 37 * @since 3.2 38 */ 39 public static function timingSafeCompare($known, $unknown) 40 { 41 /** 42 * Explanation about the function_exists 43 * 44 * Yes, hash_equals has existed since PHP 5.6.0 and Joomla's minimum requirements are higher 45 * than that. However, this does not prevent a misguided server administrator from disabling 46 * hash_equals in php.ini. Hence the need for checking whether the function exists or not. 47 */ 48 if (function_exists('hash_equals')) { 49 return hash_equals($known, $unknown); 50 } 51 52 /** 53 * If hash_equals is not available we use a pure PHP implementation by Anthony Ferrara. 54 * 55 * @see https://blog.ircmaxell.com/2014/11/its-all-about-time.html 56 */ 57 $safeLen = strlen($known); 58 $userLen = strlen($unknown); 59 60 if ($userLen != $safeLen) { 61 return false; 62 } 63 64 $result = 0; 65 66 for ($i = 0; $i < $userLen; $i++) { 67 $result |= (ord($known[$i]) ^ ord($unknown[$i])); 68 } 69 70 // They are only identical strings if $result is exactly 0... 71 return $result === 0; 72 } 73 74 /** 75 * Safely detect a string's length 76 * 77 * This method is derived from \ParagonIE\Halite\Util::safeStrlen() 78 * 79 * @param string $str String to check the length of 80 * 81 * @return integer 82 * 83 * @since 3.5 84 * @ref mbstring.func_overload 85 * @throws \RuntimeException 86 */ 87 public static function safeStrlen($str) 88 { 89 static $exists = null; 90 91 if ($exists === null) { 92 $exists = \function_exists('mb_strlen'); 93 } 94 95 if ($exists) { 96 $length = mb_strlen($str, '8bit'); 97 98 if ($length === false) { 99 throw new \RuntimeException('mb_strlen() failed unexpectedly'); 100 } 101 102 return $length; 103 } 104 105 // If we reached here, we can rely on strlen to count bytes: 106 return \strlen($str); 107 } 108 109 /** 110 * Safely extract a substring 111 * 112 * This method is derived from \ParagonIE\Halite\Util::safeSubstr() 113 * 114 * @param string $str The string to extract the substring from 115 * @param integer $start The starting position to extract from 116 * @param integer $length The length of the string to return 117 * 118 * @return string 119 * 120 * @since 3.5 121 */ 122 public static function safeSubstr($str, $start, $length = null) 123 { 124 static $exists = null; 125 126 if ($exists === null) { 127 $exists = \function_exists('mb_substr'); 128 } 129 130 if ($exists) { 131 // In PHP 5.3 mb_substr($str, 0, NULL, '8bit') returns an empty string, so we have to find the length ourselves. 132 if ($length === null) { 133 if ($start >= 0) { 134 $length = static::safeStrlen($str) - $start; 135 } else { 136 $length = -$start; 137 } 138 } 139 140 return mb_substr($str, $start, $length, '8bit'); 141 } 142 143 // Unlike mb_substr(), substr() doesn't accept NULL for length 144 if ($length !== null) { 145 return substr($str, $start, $length); 146 } 147 148 return substr($str, $start); 149 } 150 }
title
Description
Body
title
Description
Body
title
Description
Body
title
Body
Generated: Wed Sep 7 05:41:13 2022 | Chilli.vc Blog - For Webmaster,Blog-Writer,System Admin and Domainer |