Problem/Motivation
ImageStyleDownloadController::deliver() does direct string comparison when checking the derivative token.
$valid &= $request->query->get(IMAGE_DERIVATIVE_TOKEN) === $image_style->getPathToken($image_uri);
Steps to reproduce
I didn't attempt, so I guess this is more theoretical.
Proposed resolution
Use hash_equals() instead of direct string comparison.
Remaining tasks
Use hash_equals() instead of direct string comparison.
User interface changes
None.
API changes
Data model changes
None.
Comment | File | Size | Author |
---|---|---|---|
#10 | webp-fix-token-comparison-3188548-10.patch | 972 bytes | markus_petrux |
#2 | webp-fix-token-comparison-3188548-2.patch | 881 bytes | daceej |
Issue fork webp-3188548
Show commands
Start within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
Comments
Comment #2
daceej CreditAttribution: daceej at Third and Grove commentedPatch to use hash_equals().
Comment #3
daceej CreditAttribution: daceej at Third and Grove commentedComment #4
scott_euser CreditAttribution: scott_euser at Soapbox Communications Ltd commentedThis looks good to me.
hash_equals
is the recommended way from core after deprecation here.Comment #9
Balu ErtlComment #10
markus_petrux CreditAttribution: markus_petrux commentedRerolled to apply to 1.x-dev
Comment #13
alexmoreno CreditAttribution: alexmoreno at Acquia commentedComment #15
alexmoreno CreditAttribution: alexmoreno at Acquia commentedComment #16
alexmoreno CreditAttribution: alexmoreno at Acquia commentedComment #17
fathima.asmat CreditAttribution: fathima.asmat at Soapbox Communications Ltd commentedThis is fixed in the latest release https://www.drupal.org/project/webp/releases/8.x-1.0-beta6 and can be marked as closed