From a31a6e39968bcbcd3728c436ce22053aeec93291 Mon Sep 17 00:00:00 2001
From: Cacciuc <43413216+Cacciuc@users.noreply.github.com>
Date: Fri, 13 Nov 2020 19:28:15 +0100
Subject: [PATCH] proper signature validation (#13523)

$header_signature could be a typed float (start with 0e and then only numbers) and a float does equal a string when comparing with typed juggle.
eg: 0e123 != "abc" does return false, but 0e123 !== "abc" returns true.

you previously could circumvent the signature check when providing a header signature in the float format (0e...)

Co-authored-by: techknowlogick <techknowlogick@gitea.io>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
---
 docs/content/doc/features/webhooks.en-us.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/content/doc/features/webhooks.en-us.md b/docs/content/doc/features/webhooks.en-us.md
index f20f253745..e755513485 100644
--- a/docs/content/doc/features/webhooks.en-us.md
+++ b/docs/content/doc/features/webhooks.en-us.md
@@ -168,7 +168,7 @@ if (empty($header_signature)) {
 $payload_signature = hash_hmac('sha256', $payload, $secret_key, false);
 
 // check payload signature against header signature
-if ($header_signature != $payload_signature) {
+if ($header_signature !== $payload_signature) {
     error_log('FAILED - payload signature');
     exit();
 }