Problem/Motivation

ImageStyleDownloadController::deliver() does direct string comparison when checking the derivative token.

$valid &= $request->query->get(IMAGE_DERIVATIVE_TOKEN) === $image_style->getPathToken($image_uri);

Steps to reproduce

I didn't attempt, so I guess this is more theoretical.

Proposed resolution

Use hash_equals() instead of direct string comparison.

Remaining tasks

Use hash_equals() instead of direct string comparison.

User interface changes

None.

API changes

Data model changes

None.

CommentFileSizeAuthor
#10 webp-fix-token-comparison-3188548-10.patch972 bytesmarkus_petrux
#2 webp-fix-token-comparison-3188548-2.patch881 bytesdaceej

Issue fork webp-3188548

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

daceej created an issue. See original summary.

daceej’s picture

daceej CreditAttribution: daceej at Third and Grove commented
FileSize
webp-fix-token-comparison-3188548-2.patch881 bytes

Patch to use hash_equals().

daceej’s picture

daceej CreditAttribution: daceej at Third and Grove commented
Assigned: daceej » Unassigned
Status: Active » Needs review
scott_euser’s picture

scott_euser CreditAttribution: scott_euser at Soapbox Communications Ltd commented
Status: Needs review » Reviewed & tested by the community

This looks good to me. hash_equals is the recommended way from core after deprecation here.

alexmoreno made their first commit to this issue’s fork.

alexmoreno opened merge request !10

alexmoreno opened merge request !11

alexmoreno closed merge request !10

Balu Ertl’s picture

Balu Ertl
he/him
Primary language Hungarian
Location Budapest 🇪🇺
CreditAttribution: Balu Ertl at Cheppers commented
Title: WebP potentially susceptible to timing attacks. » WebP potentially susceptible to timing attacks
markus_petrux’s picture

markus_petrux CreditAttribution: markus_petrux commented
FileSize
webp-fix-token-comparison-3188548-10.patch972 bytes

Rerolled to apply to 1.x-dev

alexmoreno opened merge request !20

alexmoreno closed merge request !20

alexmoreno’s picture

alexmoreno CreditAttribution: alexmoreno at Acquia commented

alexmoreno’s picture

alexmoreno CreditAttribution: alexmoreno at Acquia commented
Status: Reviewed & tested by the community » Fixed
alexmoreno’s picture

alexmoreno CreditAttribution: alexmoreno at Acquia commented
Version: 8.x-1.0-beta5 » 8.x-1.x-dev
fathima.asmat’s picture

fathima.asmat CreditAttribution: fathima.asmat at Soapbox Communications Ltd commented

This is fixed in the latest release https://www.drupal.org/project/webp/releases/8.x-1.0-beta6 and can be marked as closed

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.