oss-sec mailing list archives
Re: PHP and some == wonkiness
From: Florian Weimer <fweimer () redhat com>
Date: Tue, 05 May 2015 08:53:42 +0200
On 05/04/2015 08:34 PM, Pádraic Brady wrote:
It all boils down to PHP loose typing/type juggling for == and strict type comparison for ===. The first option will trigger a set of rules capable of converting strings into floats or integers, based on whether both strings are representative of a float (i.e. your example), or where one of the values being compared is already an integer/float. Unfortunately, it is indeed a common weakness to not use strict comparisons in security related code. For example, Laravel had a recent issue in comparing CSRF tokens where passing in a zero always passed the check from this mistake,
Oh. But the current case apparently needs a string from a very specific set. Do we know the digests which trigger this? If it has to be "0e" followed by only digits on both sides, it is somewhat unlikely that you have a reference string with this property, especially if SHA-1 is used (around 6.84×10¯¹¹, if I'm not mistaken). -- Florian Weimer / Red Hat Product Security
Current thread:
- PHP and some == wonkiness Kurt Seifried (May 04)
- Re: PHP and some == wonkiness Pádraic Brady (May 04)
- Re: PHP and some == wonkiness Florian Weimer (May 04)
- Re: PHP and some == wonkiness mancha (May 05)
- Re: PHP and some == wonkiness Florian Weimer (May 05)
- Re: PHP and some == wonkiness mancha (May 05)
- Re: PHP and some == wonkiness mancha (May 05)
- Re: PHP and some == wonkiness Grandma Eubanks (May 05)
- Re: PHP and some == wonkiness Sliv TaMere (May 06)
- Re: PHP and some == wonkiness Florian Weimer (May 04)
- Re: PHP and some == wonkiness Pádraic Brady (May 04)