Security: Token comparaison should use hash_equals
Issue #3
new
On https://bitbucket.org/wooclap/moodle-mod_wooclap/src/caacf1d3e2a2a0a217adf8349bd01bcf4a65ee39/report_wooclap.php#lines-52 you are comparing two tokens using ===, for security reasons, you should use
https://www.php.net/manual/en/function.hash-equals.php instead.
diff --git a/report_wooclap.php b/report_wooclap.php
index 162d61b..2556277 100644
--- a/report_wooclap.php
+++ b/report_wooclap.php
@@ -49,7 +49,7 @@ try {
];
$token_calc = wooclap_generate_token('REPORT?' . wooclap_http_build_query($data_token));
- if ($token === $token_calc) {
+ if (hash_equals((string)$token_calc, (string)$token)) {
if ($completion == 'passed') {
$completion_param = COMPLETION_COMPLETE_PASS;
} else if ($completion == 'incomplete') {