Problem/Motivation

EmailTfaVerifyLoginForm::loginValidateForm() compares the code with !=, this could make it vulnerable to timing attacks (the comparison is slightly slower if the beginning of the two strings is the same).

Steps to reproduce

Proposed resolution

It should probably use hash_equals() instead.

Remaining tasks

User interface changes

API changes

Data model changes

Comments

prudloff created an issue. See original summary.

abdulaziz zaid’s picture

abdulaziz zaid
Primary language Arabic
Location Riyadh 🇸🇦
commented
Issue tags: +email_tfa v2.0.6

  • 6f530684 committed on 2.0.x 
    Issue #3531139 by prudloff, abdulaziz zaid: Harden TFA code comparison...
abdulaziz zaid’s picture

abdulaziz zaid
Primary language Arabic
Location Riyadh 🇸🇦
commented
Status: Active » Fixed

Thanks for catching this! Fixed in commit 6f530684 using hash_equals().

Now that this issue is closed, please review the contribution record.

As a contributor, attribute any organization that helped you, or if you volunteered your own time.

Maintainers, please credit people who helped resolve this issue.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.