Contrib.social

Harden webhook hash against timing attacks

Open on Drupal.org β†’
Created on 19 June 2025, 2 months ago

Problem/Motivation

MailchimpWebhookController::endpoint() compares the hash with $webhook_hash !== $hash, this could make it vulnerable to timing attacks (the comparison is slightly slower if the beginning of the two strings is the same).

Steps to reproduce

Proposed resolution

We should probably use hash_equals() instead.

Remaining tasks

User interface changes

API changes

Data model changes

πŸ› Bug report
Status

Active

Version

3.0

Component

General

Created by

πŸ‡«πŸ‡·France prudloff Lille

Live updates comments and jobs are added and updated live.
  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Sign in to follow issues

Comments & Activities

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024