Assist Crypt::HmacBase64 users to prevent HMACs over undelimited, composite messages

Created on 30 May 2015, over 9 years ago

Updated 8 March 2023, over 1 year ago

Suppose:

$part1 = 'foo';
$part2 = 'bar';
$hmac = Crypt::HmacBase64($part1 . $part2, $somekey);

The problem: The resulting HMAC is identical for the following combinations of $part1 and $part2:

part1 |part2
------|------
foo   |bar
foob  |ar
fooba |r
foobar|
fo    |obar
f     |oobar
      |foobar

Examples of the problems this can cause down the line:

CVE-2008-1930 - Wordpress Admin cookie forgery
AWS v1 signature forgery

Both Fabian and I looked at the current use of undelimited HMAC calculation in core. Neither of us thinks they are an acute problem.

Helping users prevent such mistakes would be a significant improvement to the hmac api however.

I've attached two patches:
- minimal note telling the user about delimiting parts
- change to the function signature of HmacBase64 to allow an arbitrary number of message parts preceding the key.

An alternative would be a HmacMultipleBase64 that takes an array of strings as the first parameter. Speaking of strings, why does the function check on is_scalar? The PHP documentation of hash_hmac states the params accepted are strings.

✨ Feature request

Status

Closed: outdated

Version

9.5

Component

Base →

Last updated 37 minutes ago

Maintained by
🇺🇸United States @effulgentsia
🇬🇧United Kingdom @catch
🇬🇧United Kingdom @alexpott
🇦🇺Australia @larowlan
🇺🇸United States @bnjmnm
🇫🇷France @nod_
🇪🇸Spain @ckrina
🇬🇧United Kingdom @justafish

Created by

🇳🇱Netherlands Heine

Live updates comments and jobs are added and updated live.

Security improvements
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Incomplete comments

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment over 1 year ago →
needs-review-queue-bot
The Needs Review Queue Bot → tested this issue. It either no longer applies to Drupal core, or fails the Drupal core commit checks. Therefore, this issue status is now "Needs work".

Apart from a re-roll or rebase, this issue may need more work to address feedback in the issue or MR comments. To progress an issue, incorporate this feedback as part of the process of updating the issue. This helps other contributors to know what is outstanding.

Consult the Drupal Contributor Guide → to find step-by-step guides for working with issues.
Status changed to Closed: outdated over 1 year ago9:45am 8 March 2023
Comment over 1 year ago →
🇳🇱Netherlands Heine

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024