tdsds.com/gitea
1
1
Fork 0
mirror of https://github.com/go-gitea/gitea synced 2025-11-04 05:18:25 +00:00
Code Releases Activity

proper signature validation (#13523)

Browse Source 
$header_signature could be a typed float (start with 0e and then only numbers) and a float does equal a string when comparing with typed juggle.
eg: 0e123 != "abc" does return false, but 0e123 !== "abc" returns true.

you previously could circumvent the signature check when providing a header signature in the float format (0e...)

Co-authored-by: techknowlogick <techknowlogick@gitea.io>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
This commit is contained in:
Cacciuc
2020-11-13 19:28:15 +01:00
committed by GitHub
parent db16275d9e
commit a31a6e3996
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
docs/content/doc/features/webhooks.en-us.md
View File

@@ -168,7 +168,7 @@ if (empty($header_signature)) {
$payload_signature = hash_hmac('sha256', $payload, $secret_key, false); $payload_signature = hash_hmac('sha256', $payload, $secret_key, false);
// check payload signature against header signature // check payload signature against header signature
if ($header_signature != $payload_signature) { if ($header_signature !== $payload_signature) {
error_log('FAILED - payload signature'); error_log('FAILED - payload signature');
exit(); exit();
} }