HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Fatal Error in Firebase\JWT\JWT.sign() - Key Must Be a String When Using HMAC

Hello Amazing Community,

I'm encountering a critical issue on my self-hosted Vanilla Forum when trying to send private messages to users. The following fatal error is raised:

Fatal Error in Firebase\JWT\JWT.sign();
key must be a string when using hmac

Details:

  • Environment:
    • Vanilla Forum version: 2024.007
    • PHP version: 8

Error Trace:

The error occurred on or near: /var/www/html/vendor/firebase/php-jwt/src/JWT.php
229: list($function, $algorithm) = static::$supported_algs[$alg];
230: switch ($function) {
231: case 'hash_hmac':
232: if (!\is_string($key)) {
233: throw new InvalidArgumentException('key must be a string when using hmac');
234: }
235: return \hash_hmac($algorithm, $msg, $key, true);
236: case 'openssl':
237: $signature = '';
Backtrace:
[/var/www/html/vendor/firebase/php-jwt/src/JWT.php:203] Firebase\JWT\JWT::sign();
[/var/www/html/applications/dashboard/models/class.activitymodel.php:1401] Firebase\JWT\JWT::encode();
[/var/www/html/applications/dashboard/models/class.activitymodel.php:1261] ActivityModel->getUnsubscribeLink();
[/var/www/html/applications/dashboard/models/class.activitymodel.php:2113] ActivityModel->email();
[/var/www/html/applications/dashboard/models/class.activitymodel.php:2510] ActivityModel->save();
[/var/www/html/applications/conversations/models/class.conversationsmodel.php:196] ActivityModel->saveQueue();
[/var/www/html/applications/conversations/models/class.conversationmodel.php:787] ConversationsModel->notifyUsers();
[/var/www/html/library/core/class.form.php:3122] ConversationModel->save();
[/var/www/html/applications/conversations/controllers/class.messagescontroller.php:116] Gdn_Form->save();
[/var/www/html/library/core/class.dispatcher.php:1036] MessagesController->add();
[/var/www/html/library/core/class.dispatcher.php:397] Gdn_Dispatcher->dispatchController();
[/var/www/html/index.php:36] Gdn_Dispatcher->dispatch();

It seems that the key being used for HMAC signing is not a string. I have traced the issue to line 232 in JWT.php, where the sign method expects the key to be a string.

Can anyone provide guidance on ensuring the key is always a string in the appropriate parts of the Vanilla Forum codebase? Is there a more permanent fix that can be applied to the source?

Thank you for your assistance!

Comments

  • Hi alpha_9ight, just ran into this myself. You need to make sure $Configuration['Garden']['Unsubscribe']['Salt'] is set to an appropriate (non-null) value in your config.php file.

Sign In or Register to comment.