Contrib.social

Harden TFA code comparison against timing attacks

Open on Drupal.org →
Created on 19 June 2025, 8 days ago

Problem/Motivation

EmailTfaVerifyLoginForm::loginValidateForm() compares the code with !=, this could make it vulnerable to timing attacks (the comparison is slightly slower if the beginning of the two strings is the same).

Steps to reproduce

Proposed resolution

It should probably use hash_equals() instead.

Remaining tasks

User interface changes

API changes

Data model changes

🐛 Bug report
Status

Active

Version

2.0

Component

Code

Created by

🇫🇷France prudloff Lille

Live updates comments and jobs are added and updated live.
  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Sign in to follow issues

Comments & Activities

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024