diff options
| author | Roeland Jago Douma <rullzer@users.noreply.github.com> | 2016-11-02 12:09:30 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2016-11-02 12:09:30 +0100 |
| commit | 370123b8b0b7adc21429b991f06e2c5052a54795 (patch) | |
| tree | 17301239f9dfe5afca5afe2a6dea4887c0ccaf1d /lib | |
| parent | acf01b7f061211eb898c974d1cda0f30851ea996 (diff) | |
| parent | e5d78a35231d1412aa7427f061aacdf73d92a796 (diff) | |
| download | nextcloud-server-370123b8b0b7adc21429b991f06e2c5052a54795.tar.gz nextcloud-server-370123b8b0b7adc21429b991f06e2c5052a54795.zip | |
Merge pull request #1966 from nextcloud/fix-csrf-token-generation
Fix CSRF token generation / validation
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/private/Security/CSRF/CsrfToken.php | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/lib/private/Security/CSRF/CsrfToken.php b/lib/private/Security/CSRF/CsrfToken.php index dce9a83b727..e9bdf5b5204 100644 --- a/lib/private/Security/CSRF/CsrfToken.php +++ b/lib/private/Security/CSRF/CsrfToken.php @@ -51,8 +51,8 @@ class CsrfToken { */ public function getEncryptedValue() { if($this->encryptedValue === '') { - $sharedSecret = base64_encode(random_bytes(strlen($this->value))); - $this->encryptedValue = base64_encode($this->value ^ $sharedSecret) . ':' . $sharedSecret; + $sharedSecret = random_bytes(strlen($this->value)); + $this->encryptedValue = base64_encode($this->value ^ $sharedSecret) . ':' . base64_encode($sharedSecret); } return $this->encryptedValue; @@ -71,6 +71,6 @@ class CsrfToken { } $obfuscatedToken = $token[0]; $secret = $token[1]; - return base64_decode($obfuscatedToken) ^ $secret; + return base64_decode($obfuscatedToken) ^ base64_decode($secret); } } |