Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
3.0.11
-
None
Description
Although request_var() takes care of casting user input to the appropriate type, when comparing strings in a security context, it is required to use strict comparison (===). This is because e.g. "10" == "1e1" evaluates to true which might weaken security properties (e.g. when comparing to a random string).
Attachments
Issue Links
- blocks
-
PHPBB3-11327 Implement reset password functionality via form instead of sending password
- Unverified Fix