Merge pull request #5726 from magento-borg/2.4.0-bugfixes-052620

dvoskoboinikov · web-flow · commit 3ed3329dad46 · 2020-05-28T12:01:26.000-05:00
Resolved Issues:
- MC-32188: Improve validation of secret keys
diff --git a/app/code/Magento/Backend/App/AbstractAction.php b/app/code/Magento/Backend/App/AbstractAction.php
@@ -16,6 +16,7 @@
 use Magento\Framework\Data\Form\FormKey\Validator as FormKeyValidator;
 use Magento\Framework\Locale\ResolverInterface;
 use Magento\Framework\View\Element\AbstractBlock;
+use Magento\Framework\Encryption\Helper\Security;
 
 /**
  * Generic backend controller
@@ -386,7 +387,7 @@ protected function _validateSecretKey()
         }
 
         $secretKey = $this->getRequest()->getParam(UrlInterface::SECRET_KEY_PARAM_NAME, null);
-        if (!$secretKey || $secretKey != $this->_backendUrl->getSecretKey()) {
+        if (!$secretKey || !Security::compareStrings($secretKey, $this->_backendUrl->getSecretKey())) {
             return false;
         }
         return true;

Original file line number	Diff line number	Diff line change
`@@ -16,6 +16,7 @@`
`16`	`16`	`use Magento\Framework\Data\Form\FormKey\Validator as FormKeyValidator;`
`17`	`17`	`use Magento\Framework\Locale\ResolverInterface;`
`18`	`18`	`use Magento\Framework\View\Element\AbstractBlock;`
	`19`	`+use Magento\Framework\Encryption\Helper\Security;`
`19`	`20`
`20`	`21`	`/**`
`21`	`22`	`* Generic backend controller`
`@@ -386,7 +387,7 @@ protected function _validateSecretKey()`
`386`	`387`	`}`
`387`	`388`
`388`	`389`	`$secretKey = $this->getRequest()->getParam(UrlInterface::SECRET_KEY_PARAM_NAME, null);`
`389`		`- if (!$secretKey \|\| $secretKey != $this->_backendUrl->getSecretKey()) {`
	`390`	`+ if (!$secretKey \|\| !Security::compareStrings($secretKey, $this->_backendUrl->getSecretKey())) {`
`390`	`391`	`return false;`
`391`	`392`	`}`
`392`	`393`	`return true;`