Commit 4b569f3e by Qiang Xue

Fixed CSRF token masking issue.

parent eb4385d4
......@@ -1039,7 +1039,8 @@ class Request extends \yii\base\Request
if ($this->_maskedCsrfToken === null) {
$token = $this->getCsrfToken();
$mask = Security::generateRandomKey(self::CSRF_MASK_LENGTH);
$this->_maskedCsrfToken = base64_encode($mask . $this->xorTokens($token, $mask));
// The + sign may be decoded as blank space later, which will fail the validation
$this->_maskedCsrfToken = str_replace('+', '.', base64_encode($mask . $this->xorTokens($token, $mask)));
}
return $this->_maskedCsrfToken;
}
......@@ -1120,7 +1121,7 @@ class Request extends \yii\base\Request
private function validateCsrfTokenInternal($token, $trueToken)
{
$token = base64_decode($token);
$token = str_replace('.', '+', base64_decode($token));
$n = StringHelper::byteLength($token);
if ($n <= self::CSRF_MASK_LENGTH) {
return false;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment