Skip to content

Fix GPG nonce UUID validation using incorrect operand#1

Open
flightlesstux wants to merge 1 commit into
masterfrom
fix/gpg-nonce-uuid-validation-logic
Open

Fix GPG nonce UUID validation using incorrect operand#1
flightlesstux wants to merge 1 commit into
masterfrom
fix/gpg-nonce-uuid-validation-logic

Conversation

@flightlesstux

Copy link
Copy Markdown
Owner

Problem

In GpgAuthenticator::_checkNonce(), the UUID validation check compares the wrong operand:

// Before — semantically wrong
if ($version != Validation::uuid($uuid)) {

Validation::uuid() returns a boolean (true/false), not the UUID string. The variable being compared is $version — the protocol string 'gpgauthv1.3.0' — which has nothing to do with UUID validation.

This works today only because PHP loose type coercion happens to produce the correct boolean outcome:

  • Valid UUID → Validation::uuid() returns true'gpgauthv1.3.0' != truefalse → no error ✓
  • Invalid UUID → Validation::uuid() returns false'gpgauthv1.3.0' != falsetrue → error triggered ✓

However, this is a fragile coincidence. If Validation::uuid() ever returns a non-boolean (e.g., the validated string itself), the check would silently stop rejecting invalid UUIDs in the GPG authentication flow.

Fix

Replace the accidental loose comparison with a direct boolean check on the validation result:

// After — explicit and correct
if (!Validation::uuid($uuid)) {

Impact

  • The authentication behaviour is unchanged in the current PHP/CakePHP version
  • The fix makes the intent explicit and removes reliance on accidental type coercion
  • Prevents a silent security regression if the validation helper's return type changes

Testing

Existing GPG authentication tests cover the nonce validation path. No new test cases are needed as the observable behaviour is identical — only the implementation correctness is improved.

The _checkNonce() method compared $version (the protocol string
'gpgauthv1.3.0') against the return value of Validation::uuid(),
which returns a boolean. This worked accidentally via PHP loose
type coercion but is semantically wrong: any future change to the
return type of Validation::uuid() would silently disable UUID
validation entirely.

Replace the loose comparison against $version with a direct boolean
check on Validation::uuid($uuid).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant