diff options
| author | Lukas Reschke <lukas@owncloud.com> | 2015-08-04 18:34:33 +0200 |
|---|---|---|
| committer | Lukas Reschke <lukas@owncloud.com> | 2015-08-04 18:34:33 +0200 |
| commit | 4efa7c09b135e1af5269f72a6f6a1803e5c1edd2 (patch) | |
| tree | c30d2d2b3fc9ca59559185b0517f619ed621c736 /lib | |
| parent | 728780aee8dbbdb41746b7510096c8690505a991 (diff) | |
| download | nextcloud-server-4efa7c09b135e1af5269f72a6f6a1803e5c1edd2.tar.gz nextcloud-server-4efa7c09b135e1af5269f72a6f6a1803e5c1edd2.zip | |
Use StringUtils::equals on CSRF token and add unit tests
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/private/appframework/http/request.php | 9 |
1 files changed, 4 insertions, 5 deletions
diff --git a/lib/private/appframework/http/request.php b/lib/private/appframework/http/request.php index baf2f0c4745..6f108fedc6d 100644 --- a/lib/private/appframework/http/request.php +++ b/lib/private/appframework/http/request.php @@ -33,6 +33,7 @@ use OC\Security\TrustedDomainHelper; use OCP\IConfig; use OCP\IRequest; use OCP\Security\ISecureRandom; +use OCP\Security\StringUtils; /** * Class for accessing variables in the request. @@ -416,12 +417,10 @@ class Request implements \ArrayAccess, \Countable, IRequest { } // Check if the token is valid - if($token !== $this->items['requesttoken']) { - // Not valid - return false; - } else { - // Valid token + if(StringUtils::equals($token, $this->items['requesttoken'])) { return true; + } else { + return false; } } |