Merge branch '6.4' into 7.4

nicolas-grekas · nicolas-grekas · commit cb129a8687c1 · 2026-05-13T14:04:42.000+02:00
* 6.4:
  Allow defining security provider factories without config
  [FrameworkBundle] Bump Request/Session value resolver priority above EntityValueResolver
  [Security] Remove the legacy nested unserialize() call from token and exception classes
  [Yaml] Reject non-stringables when using "!!binary"
  [Messenger][Amqp] delayed quorum queues
  [Notifier] Use `hash_equals()` to compare webhook signatures for Vonage
  [Inflector][String] Fixed singularize `traces` &gt; `trace`
  [AssetMapper] Warn on missing bare CSS and JSON imports
  When pushing, run GHA only on "*.*" branches
  [Console] Fix signal handler scoping
  [Security] Preserve webserver base URL in HttpUtils::createRequest()
diff --git a/Webhook/VonageRequestParser.php b/Webhook/VonageRequestParser.php
@@ -83,7 +83,8 @@ private function validateSignature(string $jwt, #[\SensitiveParameter] string $s
         }
 
         [$header, $payload, $signature] = $tokenParts;
-        if ($signature !== $this->base64EncodeUrl(hash_hmac('sha256', $header.'.'.$payload, $secret, true))) {
+        $expected = $this->base64EncodeUrl(hash_hmac('sha256', $header.'.'.$payload, $secret, true));
+        if (!hash_equals($expected, $signature)) {
             throw new RejectWebhookException(406, 'Signature is wrong.');
         }
     }

Original file line number	Diff line number	Diff line change
`@@ -83,7 +83,8 @@ private function validateSignature(string $jwt, #[\SensitiveParameter] string $s`
`83`	`83`	`}`
`84`	`84`
`85`	`85`	`[$header, $payload, $signature] = $tokenParts;`
`86`		`- if ($signature !== $this->base64EncodeUrl(hash_hmac('sha256', $header.'.'.$payload, $secret, true))) {`
	`86`	`+ $expected = $this->base64EncodeUrl(hash_hmac('sha256', $header.'.'.$payload, $secret, true));`
	`87`	`+ if (!hash_equals($expected, $signature)) {`
`87`	`88`	`throw new RejectWebhookException(406, 'Signature is wrong.');`
`88`	`89`	`}`
`89`	`90`	`}`