From 5cc28a0716c0098383ea50531ca714a327f31e07 Mon Sep 17 00:00:00 2001
From: Fillerino <fillerix@fillerix.se>
Date: Mon, 24 Apr 2017 22:49:03 +0200
Subject: [PATCH] Fixing timing attack vuln. on HMAC comparison (#409)

---
 app/Http/Middleware/HMACAuthorization.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/Http/Middleware/HMACAuthorization.php b/app/Http/Middleware/HMACAuthorization.php
index 2c08c1449..eda4f8692 100644
--- a/app/Http/Middleware/HMACAuthorization.php
+++ b/app/Http/Middleware/HMACAuthorization.php
@@ -170,7 +170,7 @@ class HMACAuthorization
      */
     protected function validateContents()
     {
-        if (base64_decode($this->hash()) !== $this->generateSignature()) {
+        if (! hash_equals(base64_decode($this->hash()), $this->generateSignature())) {
             throw new BadRequestHttpException('The HMAC for the request was invalid.');
         }
     }