See if you can spot the bug in this php code …
pm’d responses. mulling over this right now at work
Bah… wonder what post ‘localhost; rm -rf /’ would do
It is a fatal bug … Brenly hasn’t gotten it yet …
Hint: Data Types
yeah but still cli injection is a fatal bug.
Spoilers below:
Summary
if ($hmac !== $_POST['hmac']) {
The !== operator compares whether types are identical, not whether values match. You should use != here.
Actually === and !== compare both type and value… == and != only compare value with automatic type casting