Problem: PHP does type juggling and tries to convert strings that look like numbers to numbers when using the "==" operator. When comparing hashes for security reasons we should always use "===".

Since this module does not have a stable release yet we can fix this security issue in public. I would recommend to release a stable 1.0 version immediately after this fix.

Note that the probability of this being exploitable is very, very low. Predicting a hash that starts with "0e" is difficult. Example where this can happen: https://eval.in/111259

CommentFileSizeAuthor
#1 rules-link-token-compare-2211013-1.patch937 bytesklausi
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

klausi’s picture

Patch that fixes the operator and also removes the usage of md5(), which is not allowed by enterprise security policies.

klausi’s picture

Status: Active » Needs review
sepgil’s picture

Status: Needs review » Fixed

Thx, committed it.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.