Date: Mon, 4 May 2015 19:34:42 +0100 From: Pádraic Brady <padraic.brady@...il.com> To: oss-security@...ts.openwall.com Subject: Re: PHP and some == wonkiness Hi Kurt, On 4 May 2015 at 17:21, Kurt Seifried <kseifried@...hat.com> wrote: > https://news.ycombinator.com/item?id=9484757 read the entire thread for > an ongoing series of "what the heck?". > > Some examples include: > ================= > This is well-known PHP-trick. Use === to right result. > php > var_dump(md5('240610708') == md5('QNKCDZO')); > bool(true) > php > var_dump(md5('240610708'), md5('QNKCDZO')); > > > string(32) "0e462097431906509019562988736854" > string(32) "0e830400451993494058024219903391" > php > var_dump(md5('240610708') === md5('QNKCDZO')); > > > bool(false) > php > var_dump("0e462097431906509019562988736854" == > "0e830400451993494058024219903391"); > bool(true) > php > var_dump("0e462097431906509019562988736854" === > "0e830400451993494058024219903391"); > bool(false) > php > var_dump(md5('240610708') === md5('QNKCDZO')); > > > bool(false) > php > var_dump(md5('240610708') == md5('QNKCDZO')); > > bool(true) > php > var_dump(md5('240610708') === md5('QNKCDZO')); > bool(false) > ================= > > I'm guessing there is more than a bit of code that uses == to compare > passwords/etc. Something to be aware of. > > > -- > Kurt Seifried -- Red Hat -- Product Security -- Cloud > PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 > It all boils down to PHP loose typing/type juggling for == and strict type comparison for ===. The first option will trigger a set of rules capable of converting strings into floats or integers, based on whether both strings are representative of a float (i.e. your example), or where one of the values being compared is already an integer/float. Unfortunately, it is indeed a common weakness to not use strict comparisons in security related code. For example, Laravel had a recent issue in comparing CSRF tokens where passing in a zero always passed the check from this mistake, and more than a few validation libraries use the in_array() function which uses loose comparisons under the hood. In terms of tokens/passwords, the recommended practice has turned to using a fixed time comparison function. There are userland examples in the major frameworks, but PHP 5.6 also added hash_equals(): http://php.net/manual/en/function.hash-equals.php Basically, any sort of comparison using == is one of the quick things you can check PHP source for when reviewing for likely security issues where at least one side can be an int/float. Paddy -- Pádraic Brady http://blog.astrumfutura.com http://www.survivethedeepend.com
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.