function phutil_hashes_are_identical($u, $v)

Arcanist Technical Documentation ()

Compare two hashes for equality.

This function defuses two attacks: timing attacks and type juggling attacks.

In a timing attack, the attacker observes that strings which match the secret take slightly longer to fail to match because more characters are compared. By testing a large number of strings, they can learn the secret character by character. This defuses timing attacks by always doing the same amount of work.

In a type juggling attack, an attacker takes advantage of PHP's type rules where "0" == "0e12345" for any exponent. A portion of of hexadecimal hashes match this pattern and are vulnerable. This defuses this attack by performing bytewise character-by-character comparison.

It is questionable how practical these attacks are, but they are possible in theory and defusing them is straightforward.