proper signature validation (#13523)

Cacciuc · techknowlogick · lunny · web-flow · commit a31a6e39968b · 2020-11-13T13:28:15.000-05:00
$header_signature could be a typed float (start with 0e and then only numbers) and a float does equal a string when comparing with typed juggle.
eg: 0e123 != "abc" does return false, but 0e123 !== "abc" returns true.

you previously could circumvent the signature check when providing a header signature in the float format (0e...)

Co-authored-by: techknowlogick &lt;techknowlogick@gitea.io&gt;
Co-authored-by: Lunny Xiao &lt;xiaolunwen@gmail.com&gt;
diff --git a/docs/content/doc/features/webhooks.en-us.md b/docs/content/doc/features/webhooks.en-us.md
@@ -168,7 +168,7 @@ if (empty($header_signature)) {
 $payload_signature = hash_hmac('sha256', $payload, $secret_key, false);
 
 // check payload signature against header signature
-if ($header_signature != $payload_signature) {
+if ($header_signature !== $payload_signature) {
     error_log('FAILED - payload signature');
     exit();
 }

Original file line number	Diff line number	Diff line change
`@@ -168,7 +168,7 @@ if (empty($header_signature)) {`
`168`	`168`	`$payload_signature = hash_hmac('sha256', $payload, $secret_key, false);`
`169`	`169`
`170`	`170`	`// check payload signature against header signature`
`171`		`-if ($header_signature != $payload_signature) {`
	`171`	`+if ($header_signature !== $payload_signature) {`
`172`	`172`	`error_log('FAILED - payload signature');`
`173`	`173`	`exit();`
`174`	`174`	`}`