- Issue created by @prudloff
DisableLoginAccessCheck::hasValidSecretToken() compares the key with ==, this could make it vulnerable to timing attacks (the comparison is slightly slower if the beginning of the two strings is the same).
It should probably use hash_equals() instead.
Active
1.1
Code
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.