-
This is already 'fixed' in #49721 Please don't take this as if I know what I'm talking about. This is an open question for discussion. I just came across While it seems infeasible that a file comparison would, in practice, be vulnerable to a timing attack (due to the sheer amount of binary data and therefore the processing time/cost required to enumerate a final hash), right now it's technically possible to do if you discover that someone is using ImplicationsEspecially in the context of this being an Assuming the data in the uploaded file itself will be inert due to the 'random' nature of the enumeration (it will likely just be a mess of bytes), the main consequence of this "vulnerability" will be errors and exceptions from trying to read said file after it's passed your hash comparison, as it won't contain what you thought it did. I haven't seen this happen in practice. I haven't got a proof of concept or anything like that. This is all just hypothetical/theoretical. A quick GitHub code search doesn't reveal any repos actually calling I'm also not going to pretend that I know what I'm talking about - I'm no infosec expert. I am just curious—having come across this just now—to see what other, more knowledgeable people think. If this is indeed something that needs to be resolved, I will happily create the PR to fix - seems like a "good first issue". |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 1 reply
-
Yep, it should definitely be using As you said, hash timing attacks are technically possible, but incredibly difficult to conduct. However, that's not a good reason to write weak code when we have a secure alternative that we can easily use instead. Oh and I love that you're referencing Securing Laravel. 🥰 |
Beta Was this translation helpful? Give feedback.
-
See #49721 (comment):
|
Beta Was this translation helpful? Give feedback.
Yep, it should definitely be using
hash_equals()
in there to compare the hashes. 👍As you said, hash timing attacks are technically possible, but incredibly difficult to conduct. However, that's not a good reason to write weak code when we have a secure alternative that we can easily use instead.
Oh and I love that you're referencing Securing Laravel. 🥰