Problem: PHP does type juggling and tries to convert strings that look like numbers to numbers when using the "==" operator. When comparing hashes for security reasons we should always use "===".
Since this module does not have a stable release yet we can fix this security issue in public. I would recommend to release a stable 1.0 version immediately after this fix.
Note that the probability of this being exploitable is very, very low. Predicting a hash that starts with "0e" is difficult. Example where this can happen: https://eval.in/111259
Comment | File | Size | Author |
---|---|---|---|
#1 | rules-link-token-compare-2211013-1.patch | 937 bytes | klausi |
Comments
Comment #1
klausiPatch that fixes the operator and also removes the usage of md5(), which is not allowed by enterprise security policies.
Comment #2
klausiComment #3
sepgil CreditAttribution: sepgil commentedThx, committed it.