- Issue created by @prudloff
MailchimpWebhookController::endpoint() compares the hash with $webhook_hash !== $hash, this could make it vulnerable to timing attacks (the comparison is slightly slower if the beginning of the two strings is the same).
We should probably use hash_equals() instead.
Active
3.0
General
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.