Skip to content

Use strict comparisons throughout _checkNonce() validation#596

Open
flightlesstux wants to merge 1 commit intopassbolt:masterfrom
flightlesstux:fix/gpg-nonce-strict-comparisons
Open

Use strict comparisons throughout _checkNonce() validation#596
flightlesstux wants to merge 1 commit intopassbolt:masterfrom
flightlesstux:fix/gpg-nonce-strict-comparisons

Conversation

@flightlesstux
Copy link

@flightlesstux flightlesstux commented Mar 12, 2026

Problem

GpgAuthenticator::_checkNonce() validates the GPG nonce format using loose != comparisons at every check. All values come from explode('|', $nonce) and are therefore strings, so loose coercion happens to produce correct results today — but PHP's type juggling rules make this fragile.

The UUID check is additionally wrong at the operand level:

// Comparing $version (the protocol string) against a bool return value
if ($version != Validation::uuid($uuid)) {

Validation::uuid() returns true/false. The comparison works only because 'gpgauthv1.3.0' == true and 'gpgauthv1.3.0' != false happen to be correct under loose coercion. This is an accident of PHP semantics, not intentional logic.

Fix

Replace every loose != with strict !==, and fix the UUID check to test the validation result directly:

if (count($result) !== 4) { ... }
if ($version !== $version2) { ... }
if ($version !== 'gpgauthv1.3.0') { ... }
if (!Validation::uuid($uuid)) { ... }       // was: $version != Validation::uuid($uuid)
if ($length !== '36') { ... }               // '36' string, since explode() returns strings

Notes

  • $length is a string from explode(), so the strict comparison target changes from integer 36 to string '36'. The validation behaviour is identical.
  • The UUID check is the most important fix: it removes a logically incorrect comparison that relied on double type coercion to pass.
  • No functional change under any PHP version currently in use.

@flightlesstux
Use strict comparisons throughout _checkNonce() validation
c08a2d6 
_checkNonce() validated GPG nonce format using loose != comparisons
throughout. All values originate from explode() so they are strings;
loose integer/string coercion was doing the right thing in practice,
but PHP's type juggling rules make loose comparisons a maintenance
hazard — a future refactor could silently change the semantics.

Changes:
- count($result) != 4    → !== 4
- $version != $version2  → !==
- $version != 'gpgauthv1.3.0' → !==
- $version != Validation::uuid($uuid) → !Validation::uuid($uuid)
  (Validation::uuid returns bool; comparing against $version was
  semantically wrong — it happened to work via coercion only)
- $length != 36 → !== '36'
  ($length is a string from explode; strict compare requires '36')
@CLAassistant
Copy link

CLAassistant commented Mar 12, 2026
edited
Loading

CLA assistant check
All committers have signed the CLA.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@flightlesstux @CLAassistant