Updated FacebookRedirectLoginHelper and SignedRequest to constant tim…

…e CSRF check.

src/Facebook/Entities/SignedRequest.php

@@ -324,8 +324,18 @@ public static function validateSignature($hashedSig, $sig)
  */
  public static function validateCsrf(array $data, $state)
  {
- if (isset($data['state']) && $data['state'] === $state) {
- return;
+ if (isset($data['state'])) {
+ $savedLen = mb_strlen($state);
+ $givenLen = mb_strlen($data['state']);
+ if ($savedLen == $givenLen) {
+ $result = 0;
+ for ($i = 0; $i < $savedLen; $i++) {
+ $result |= ord($state[$i]) ^ ord($data['state'][$i]);
+ }
+ if ($result === 0) {
+ return;
+ }
+ }
  }
 
  throw new FacebookSDKException(

src/Facebook/FacebookRedirectLoginHelper.php

@@ -203,8 +203,21 @@ public function getSessionFromRedirect()
  */
  protected function isValidRedirect()
  {
- return $this->getCode() && isset($_GET['state'])
- && $_GET['state'] == $this->state;
+ $savedState = $this->getCode();
+ if (!$this->getCode() || !isset($_GET['state'])) {
+ return false;
+ }
+ $givenState = $_GET['state'];
+ $savedLen = mb_strlen($savedState);
+ $givenLen = mb_strlen($givenState);
+ if ($savedLen !== $givenLen) {
+ return false;
+ }
+ $result = 0;
+ for ($i = 0; $i < $savedLen; $i++) {
+ $result |= ord($savedState[$i]) ^ ord($givenState[$i]);
+ }
+ return $result === 0;
  }
 
  /**