Skip to content
Permalink
Browse files Browse the repository at this point in the history
SECURITY: Use strict comparison when authenticating
Incorrect comparison (autocasting) in SOA2Login::commented in 
ScratchOAuth2 allows unprivileged attackers to authorize as other users 
on downstream components that rely on ScratchOAuth2, as demonstrated by 
"1234567890" and "123456789e1".
  • Loading branch information
apple502j committed Apr 12, 2021
1 parent 0ead14a commit a91879b
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion includes/common/login.php
Expand Up @@ -52,7 +52,7 @@ public static function commented( string $username, string $code ) {
$matches = [];
preg_match_all(SOA2_COMMENTS_REGEX, $comments, $matches, PREG_PATTERN_ORDER);
for ($i = 0; $i < count($matches[0]); ++$i) {
if (strtolower($matches[1][$i]) != $username) continue;
if (strtolower($matches[1][$i]) !== $username) continue;
if (hash_equals($code, $matches[2][$i])) return true; // Step 22
}
return false;
Expand Down

0 comments on commit a91879b

Please sign in to comment.