Skip to content

TOCTOU in CacheTokenVerifier #42637

New issue
New issue
Closed
Closed
TOCTOU in CacheTokenVerifier#42637
Labels
BugSecurityStatus: Reviewed
@zerkms

Description

@zerkms
zerkms
opened on Aug 19, 2021

Symfony version(s) affected: 5.4

Description
At the moment cache is used this way:

symfony/src/Symfony/Component/Security/Core/Authentication/RememberMe/CacheTokenVerifier.php

Lines 47 to 55 in cd12afe

$cacheKey = $this->getCacheKey($token);
if (!$this->cache->hasItem($cacheKey)) {
return false;
}
$item = $this->cache->getItem($cacheKey);
$outdatedToken = $item->get();
return hash_equals($outdatedToken, $tokenValue);

It's a classical example of https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use

Nothing guarantees the cache that is valid in line 48 is not valid anymore in line 52

If it happens you'd get Warning: hash_equals(): Expected known_string to be a string, null given

How to reproduce
For obvious reasons it's super hard to reproduce it without touching code, but simply make a getItem return nothing (as if it didn't find the value). Alternatively - with a debugger just step on the line 52 and wait til it expires.

Possible Solution
Just using $this->cache->getItem($cacheKey); is sufficient, without extra hasItem check.

Metadata

Metadata

Assignees

No one assigned

    Labels

    BugSecurityStatus: Reviewed

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions