diff options
| author | Cacciuc <43413216+Cacciuc@users.noreply.github.com> | 2020-11-13 19:28:15 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-11-13 13:28:15 -0500 |
| commit | a31a6e39968bcbcd3728c436ce22053aeec93291 (patch) | |
| tree | 3e22ce1cd44e64bfe3d828d849930c6127a22a62 /docs/content | |
| parent | db16275d9efe59bf54cbe5d26e1614079d00eaaa (diff) | |
| download | gitea-a31a6e39968bcbcd3728c436ce22053aeec93291.tar.gz gitea-a31a6e39968bcbcd3728c436ce22053aeec93291.zip | |
proper signature validation (#13523)
$header_signature could be a typed float (start with 0e and then only numbers) and a float does equal a string when comparing with typed juggle.
eg: 0e123 != "abc" does return false, but 0e123 !== "abc" returns true.
you previously could circumvent the signature check when providing a header signature in the float format (0e...)
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Diffstat (limited to 'docs/content')
| -rw-r--r-- | docs/content/doc/features/webhooks.en-us.md | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/docs/content/doc/features/webhooks.en-us.md b/docs/content/doc/features/webhooks.en-us.md index f20f253745..e755513485 100644 --- a/docs/content/doc/features/webhooks.en-us.md +++ b/docs/content/doc/features/webhooks.en-us.md @@ -168,7 +168,7 @@ if (empty($header_signature)) { $payload_signature = hash_hmac('sha256', $payload, $secret_key, false); // check payload signature against header signature -if ($header_signature != $payload_signature) { +if ($header_signature !== $payload_signature) { error_log('FAILED - payload signature'); exit(); } |