Use hash_equals() function for check of secret

Created on 15 April 2025, 3 days ago

Problem/Motivation

As part of the verification of the login link the stored secret is compared to the user supplied secret.

The comparison uses the != operator. There is a potential security risk because this operator could potentially reveal information about the secret through timing of the execution.

While this would be very difficult to exploit, PHP provides a safer comparison function, hask_equals(), so changing to use that would prevent a potential exploit.

Proposed resolution

Change the Verifier::verifyAndLogin method to use hash_equals().

Remaining tasks

In the src/Service/Verifier.php class:

  • Change the name of the $secret parameter to $user_secret, to make it clear that the passed in value is the user provided secret.
  • Replace the current $loginInfo->secret != $secret with a call to hash_equals(). Note that the user provided secret should be the second parameter

User interface changes

None.

API changes

None.

Data model changes

None.

📌 Task
Status

Active

Version

1.0

Component

Code

Created by

🇮🇪Ireland lostcarpark

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

Production build 0.71.5 2024