Include/functions.php:266 hash_equals(): Expected known_string to be a string, null given

V4V · October 2, 2020, 1:38pm

I’ve been seeing a few E_WARNINGS in my logs around function validate_csrf. Perhaps $_SESSION['csrf_token'] needs to be checked first for NULL, something like:

	function validate_csrf($csrf_token) {
		if (!isset($_SESSION['csrf_token']) || !$_SESSION['csrf_token']) { return false; }

		return isset($csrf_token) && hash_equals($_SESSION['csrf_token'], $csrf_token);
	}

Event Log:

E_WARNING (2) include/functions.php:266 hash_equals(): Expected known_string to be a string, null given

include/functions.php(266): hash_equals(, a6454a029f10634bdc0efabc78c3195f)

backend.php(107): validate_csrf(a6454a029f10634bdc0efabc78c3195f)

IP: {removed}
Request URI: /tt-rss/backend.php
User agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36 7:43
E_USER_NOTICE (1024) :0 Update process for feed 414 (feedname1, owner UID: 2) failed with exit code: 100 (LibXML error 76 at line 47 (column 10): Opening and ending tag mismatch: meta line 6 and head ).
7:17
E_USER_NOTICE (1024) :0 Update process for feed 258 (feedname2, owner UID: 2) failed with exit code: 100 (; 7 Failed to connect to website.com port 443: Connection timed out).
6:32

Versions:
tt-rss: Tiny Tiny RSS vUNKNOWN (Unsupported) (because didn’t use git? downloaded on Sep 28)
PHP: 7.3.22

fox · October 2, 2020, 2:36pm

isset() already checks for null, for user-supplied string. why is the session CSRF token null, though? what kind of request is happening that leads to this?

V4V · October 2, 2020, 2:55pm

Not sure. Been trying to figure both out too.

V4V · October 12, 2020, 2:32pm

Figured out what causes the null for hash_equals. Refreshing on prefs.php when the session has timed out yields and empty $_SESSION['csrf_token'] and the error:

{"error":{"code":6,"message":null}}