[BUGFIX] Add check for string to prevent PHP warning 79/59779/5
authorPeter Kraume <peter.kraume@gmx.de>
Thu, 21 Feb 2019 13:17:31 +0000 (14:17 +0100)
committerBenni Mack <benni@typo3.org>
Mon, 4 Mar 2019 13:54:00 +0000 (14:54 +0100)
Resolves: #87762
Releases: master, 9.5, 8.7
Change-Id: I2e7b8b7bee6d69b3e1ae4458257be802d0d97d14
Reviewed-on: https://review.typo3.org/c/59779
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Frank Naegler <frank.naegler@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Frank Naegler <frank.naegler@typo3.org>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Benni Mack <benni@typo3.org>
typo3/sysext/frontend/Classes/Controller/ShowImageController.php

index 442da5e..e509e2a 100644 (file)
@@ -123,7 +123,7 @@ EOF;
         /* For backwards compatibility the HMAC is transported within the md5 param */
         $hmacParameter = $this->request->getQueryParams()['md5'] ?? null;
         $hmac = GeneralUtility::hmac(implode('|', [$fileUid, $parametersEncoded]));
-        if (!hash_equals($hmac, $hmacParameter)) {
+        if (!is_string($hmacParameter) || !hash_equals($hmac, $hmacParameter)) {
             throw new \InvalidArgumentException('hash does not match', 1476048456);
         }