[owncloud-devel] Security: Constant String Comparison

Lukas Reschke lukas at statuscode.ch
Fri May 8 12:10:54 GMT 2015

Hey all

While reviewing a Pull Request today I stumbled upon something like the following:

if($request->getParam(‘secret’) === ‘SecretFromWhereEver’) {}

On the first sight it looks like this code is perfectly safe. However, there is a little security implication that this code does not cover: They way C and PHP code compares strings.

When you do a string comparison the comparison will stop after the first invalid character, so comparing “a === banana” is faster than comparing it to “a === ananas”. An very sophisticated attacker might use the timing difference to guess the actual secret.

While actual exploitation over the network of such things is a very hard thing and highly unlikely in a lot of scenarios we should not take the chance to harden our code as much as possible with regards to future developments. Thus for such comparisons always use \OCP\Security\StringUtils::equals($expected, $input) starting from ownCloud 8.0.0. This method will perform a somewhat constant-time comparison but will not prevent the potential leakage of the length of $expected, but this is a minor issue :-)


More information about the Devel mailing list