Spot The Bug challenge warm-up

See if you can spot the bug in this php code …

@brenly @brian @raffi @denzuko

pm’d responses. mulling over this right now at work

Bah… wonder what post ‘localhost; rm -rf /’ would do

It is a fatal bug … Brenly hasn’t gotten it yet …

Hint: Data Types

yeah but still cli injection is a fatal bug.

Spoilers below:

if ($hmac !== $_POST['hmac']) {

The !== operator compares whether types are identical, not whether values match. You should use != here.

Actually === and !== compare both type and value… == and != only compare value with automatic type casting

The Answer