oss-sec mailing list archives
Re: PHP and some == wonkiness
From: Pádraic Brady <padraic.brady () gmail com>
Date: Mon, 4 May 2015 19:34:42 +0100
Hi Kurt, On 4 May 2015 at 17:21, Kurt Seifried <kseifried () redhat com> wrote:
https://news.ycombinator.com/item?id=9484757 read the entire thread for an ongoing series of "what the heck?". Some examples include: ================= This is well-known PHP-trick. Use === to right result. php > var_dump(md5('240610708') == md5('QNKCDZO')); bool(true) php > var_dump(md5('240610708'), md5('QNKCDZO')); string(32) "0e462097431906509019562988736854" string(32) "0e830400451993494058024219903391" php > var_dump(md5('240610708') === md5('QNKCDZO')); bool(false) php > var_dump("0e462097431906509019562988736854" == "0e830400451993494058024219903391"); bool(true) php > var_dump("0e462097431906509019562988736854" === "0e830400451993494058024219903391"); bool(false) php > var_dump(md5('240610708') === md5('QNKCDZO')); bool(false) php > var_dump(md5('240610708') == md5('QNKCDZO')); bool(true) php > var_dump(md5('240610708') === md5('QNKCDZO')); bool(false) ================= I'm guessing there is more than a bit of code that uses == to compare passwords/etc. Something to be aware of. -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
It all boils down to PHP loose typing/type juggling for == and strict type comparison for ===. The first option will trigger a set of rules capable of converting strings into floats or integers, based on whether both strings are representative of a float (i.e. your example), or where one of the values being compared is already an integer/float. Unfortunately, it is indeed a common weakness to not use strict comparisons in security related code. For example, Laravel had a recent issue in comparing CSRF tokens where passing in a zero always passed the check from this mistake, and more than a few validation libraries use the in_array() function which uses loose comparisons under the hood. In terms of tokens/passwords, the recommended practice has turned to using a fixed time comparison function. There are userland examples in the major frameworks, but PHP 5.6 also added hash_equals(): http://php.net/manual/en/function.hash-equals.php Basically, any sort of comparison using == is one of the quick things you can check PHP source for when reviewing for likely security issues where at least one side can be an int/float. Paddy -- Pádraic Brady http://blog.astrumfutura.com http://www.survivethedeepend.com
Current thread:
- PHP and some == wonkiness Kurt Seifried (May 04)
- Re: PHP and some == wonkiness Pádraic Brady (May 04)
- Re: PHP and some == wonkiness Florian Weimer (May 04)
- Re: PHP and some == wonkiness mancha (May 05)
- Re: PHP and some == wonkiness Florian Weimer (May 05)
- Re: PHP and some == wonkiness mancha (May 05)
- Re: PHP and some == wonkiness mancha (May 05)
- Re: PHP and some == wonkiness Grandma Eubanks (May 05)
- Re: PHP and some == wonkiness Sliv TaMere (May 06)
- Re: PHP and some == wonkiness Florian Weimer (May 04)
- Re: PHP and some == wonkiness Pádraic Brady (May 04)