Uploaded image for project: 'eZ Publish / Platform'
  1. eZ Publish / Platform
  2. EZP-25058

md5 string comparision with "==" fails, if the strings begin with "0e"

    XMLWordPrintable

    Details

      Description

      If you are doing an md5 string comparison with "==" instead of "===", all strings that begin with "0e" will be considered identical, as reported here:

      http://stackoverflow.com/questions/22140204/why-md5240610708-is-equal-to-md5qnkcdzo
      http://stackoverflow.com/questions/12598407/php-expresses-two-different-strings-to-be-the-same

      Example:

      var_dump(md5('240610708') == md5('QNKCDZO'));
      
      output: bool(true)
      

      That is so because the hashes evaluate to 0e462097431906509019562988736854 and 0e830400451993494058024219903391, respectively. When you use ==, each is converted to a numeric representation because of the e (scientific notation), so they each become 0. 0 == 0 is true. On the other hand, this:

      md5('240610708') === md5('QNKCDZO')
      

      ...returns false because the string values are different. === forces type-sensitive comparison.

      An example of this in eZ Publish can be found in ezpublish_legacy/kernel/classes/ezcodetemplate.php:

      ...
      $originalMD5 = md5_file( $filePath );
      $updatedMD5 = md5_file( $tempFile );
      if ( $originalMD5 == $updatedMD5 )
      {
      ...
      

      Steps to reproduce:

      A visible effect of this can be reproduced by:

      1. Alter a user's password and enter "0e123";
      2. Confirm the password: "0e456";

      The password will be changed. Should have returned an error message instead:

      The draft could not be stored.
      
      Required data is either missing or is invalid:
      User account: The passwords do not match.
      

      The code in ezpublish_legacy/kernel/classes/datatypes/ezuser/ezuser.php seems to be responsible for this:

      ...
      if ( eZUser::validatePassword( $password ) and
                   $password == $passwordConfirm ) // Cannot change login or password_hash without login and password
      ...
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              nuno.oliveira-obsolete@ez.no Nuno Oliveira (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: