Skip to content

Commit

Permalink
Use strict time-constant function to compare TCPDF-tag hashes.
Browse files Browse the repository at this point in the history
  • Loading branch information
@nicolaasuni
nicolaasuni committed Dec 23, 2024
1 parent 387e803 commit d54b97c
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 1 deletion.
1 change: 1 addition & 0 deletions CHANGELOG.TXT
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
6.8.0 (2024-12-23)
- Escape error message.
- Use strict time-constant function to compare TCPDF-tag hashes.

6.7.8 (2024-12-13)
- Improve SVG detection by checking for (mandatory) namespace.
Expand Down
2 changes: 1 addition & 1 deletion tcpdf.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17260,7 +17260,7 @@ protected function unserializeTCPDFtag($data) {
$hlen = intval(substr($data, 0, $hpos));
$hash = substr($data, $hpos + 1, $hlen);
$encoded = substr($data, $hpos + 2 + $hlen);
if ($hash != $this->hashTCPDFtag($encoded)) {
if (!hash_equals( $this->hashTCPDFtag($encoded), $hash)) {
$this->Error('Invalid parameters');
}
return json_decode(urldecode($encoded), true);
Expand Down

0 comments on commit d54b97c

Please sign in to comment.