1.2.689. Minus One On Error¶
Some PHP native functions return -1 on error. They also return 1 in case of success, and 0 in case of failure. This leads to confusions.
In case the native function is used as a condition without explicit comparison, PHP type cast the return value to a boolean. In this case, -1 and 1 are both converted to true, and the condition applies. This means that an error situation is mistaken for a successful event. This analysis searches for if/then structures, ternary operators inside while() / do…`while() <https://www.php.net/manual/en/control-structures.while.php>`_ loops.
<?php
// Proper check of the return value
if (openssl_verify($data, $signature, $public) === 1) {
$this->loginAsUser($user);
}
// if this call fails, it returns -1, and is confused with true
if (openssl_verify($data, $signature, $public)) {
$this->loginAsUser($user);
}
?>
See also Can you spot the vulnerability? (openssl_verify) and Incorrect Signature Verification.
1.2.689.1. Suggestions¶
Compare explicitly the return value to 1
1.2.689.2. Specs¶
Short name |
Security/MinusOneOnError |
Rulesets |
|
Exakat since |
1.8.0 |
PHP Version |
All |
Severity |
Critical |
Time To Fix |
Instant (5 mins) |
Precision |
High |
Available in |