Hey all
While reviewing a Pull Request today I stumbled upon something like the
following:
if($request->getParam(‘secret’) === ‘SecretFromWhereEver’) {}
On the first sight it looks like this code is perfectly safe. However, there is
a little security implication that this code does not cover: They way C and PHP
code compares strings.
When you do a string comparison the comparison will stop after the first
invalid character, so comparing “a === banana” is faster than comparing it to
“a === ananas”. An very sophisticated attacker might use the timing difference
to guess the actual secret.
While actual exploitation over the network of such things is a very hard thing
and highly unlikely in a lot of scenarios we should not take the chance to
harden our code as much as possible with regards to future developments. Thus
for such comparisons always use \OCP\Security\StringUtils::equals($expected,
$input) starting from ownCloud 8.0.0. This method will perform a somewhat
constant-time comparison but will not prevent the potential leakage of the
length of $expected, but this is a minor issue :-)
Cheers
Lukas
_______________________________________________
Devel mailing list
[email protected]
http://mailman.owncloud.org/mailman/listinfo/devel
