From 662ed9feeaf190e6437c60b5f4735e455153f547 Mon Sep 17 00:00:00 2001
From: Nikolay Bachiyski <nbachiyski@git.wordpress.org>
Date: Sun, 6 Dec 2015 22:03:41 +0000
Subject: [PATCH] Docs: clarify inline docs for hash_equals

Before the docs implied the complexity of the function was O(1) by using the term "constant time", now we use the more descriptive term "Timing attack safe".

Props AramZS.
Fixes #32778.


git-svn-id: https://develop.svn.wordpress.org/trunk@35805 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-includes/compat.php | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/wp-includes/compat.php b/src/wp-includes/compat.php
index 24da0adc3e..212ff8e332 100644
--- a/src/wp-includes/compat.php
+++ b/src/wp-includes/compat.php
@@ -228,15 +228,18 @@ if ( !function_exists('json_decode') ) {
 
 if ( ! function_exists( 'hash_equals' ) ) :
 /**
- * Compare two strings in constant time.
+ * Timing attack safe string comparison
+ *
+ * Compares two strings using the same time whether they're equal or not.
  *
  * This function was added in PHP 5.6.
- * It can leak the length of a string.
+ *
+ * Note: It can leak the length of a string when arguments of differing length are supplied.
  *
  * @since 3.9.2
  *
  * @param string $a Expected string.
- * @param string $b Actual string.
+ * @param string $b Actual, user supplied, string.
  * @return bool Whether strings are equal.
  */
 function hash_equals( $a, $b ) {