Remove dependency on ICrypto + use XOR

1 files changed, 4 insertions, 11 deletions

diff --git a/lib/private/appframework/http/request.php b/lib/private/appframework/http/request.php
index 77785135162..96620838dfb 100644
--- a/lib/private/appframework/http/request.php
+++ b/lib/private/appframework/http/request.php
@@ -88,20 +88,17 @@ class Request implements \ArrayAccess, \Countable, IRequest {
 	 *        - string 'method' the request method (GET, POST etc)
 	 *        - string|false 'requesttoken' the requesttoken or false when not available
 	 * @param ISecureRandom $secureRandom
-	 * @param ICrypto $crypto
 	 * @param IConfig $config
 	 * @param string $stream
 	 * @see http://www.php.net/manual/en/reserved.variables.php
 	 */
 	public function __construct(array $vars=array(),
 								ISecureRandom $secureRandom = null,
-								ICrypto $crypto,
 								IConfig $config,
 								$stream='php://input') {
 		$this->inputStream = $stream;
 		$this->items['params'] = array();
 		$this->secureRandom = $secureRandom;
-		$this->crypto = $crypto;
 		$this->config = $config;
 
 		if(!array_key_exists('method', $vars)) {
@@ -439,22 +436,18 @@ class Request implements \ArrayAccess, \Countable, IRequest {
 			return false;
 		}
 
-		// Decrypt token to prevent BREACH like attacks
+		// Deobfuscate token to prevent BREACH like attacks
 		$token = explode(':', $token);
 		if (count($token) !== 2) {
 			return false;
 		}
 
-		$encryptedToken = $token[0];
+		$obfuscatedToken = $token[0];
 		$secret = $token[1];
-		try {
-			$decryptedToken = $this->crypto->decrypt($encryptedToken, $secret);
-		} catch (\Exception $e) {
-			return false;
-		}
+		$deobfuscatedToken = base64_decode($obfuscatedToken) ^ $secret;
 
 		// Check if the token is valid
-		if(\OCP\Security\StringUtils::equals($decryptedToken, $this->items['requesttoken'])) {
+		if(\OCP\Security\StringUtils::equals($deobfuscatedToken, $this->items['requesttoken'])) {
 			return true;
 		} else {
 			return false;