PHPSDK-180: Use constant-time string comparison in Notification::verifyNotification

CasEbb · web-flow · commit 78ea6d6405a6 · 2025-08-21T13:09:17.000+02:00
diff --git a/src/Util/Notification.php b/src/Util/Notification.php
@@ -50,6 +50,6 @@ public static function verifyNotification(
         $payload = $timestamp . ':' . $request;
         $hash = hash_hmac('sha512', $payload, trim($apiKey));
 
-        return $hash === $sha512hexPayload;
+        return hash_equals($hash, $sha512hexPayload);
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -50,6 +50,6 @@ public static function verifyNotification(`
`50`	`50`	`$payload = $timestamp . ':' . $request;`
`51`	`51`	`$hash = hash_hmac('sha512', $payload, trim($apiKey));`
`52`	`52`
`53`		`- return $hash === $sha512hexPayload;`
	`53`	`+ return hash_equals($hash, $sha512hexPayload);`
`54`	`54`	`}`
`55`	`55`	`}`