From e5d78a35231d1412aa7427f061aacdf73d92a796 Mon Sep 17 00:00:00 2001
From: Leon Klingele <git@leonklingele.de>
Date: Mon, 31 Oct 2016 18:22:42 +0100
Subject: Fix CSRF token generation / validation

Operate on raw bytes instead of base64-encoded strings.
Issue was introduced in a977465

Signed-off-by: Leon Klingele <git@leonklingele.de>
---
 tests/lib/Security/CSRF/CsrfTokenManagerTest.php | 8 ++++++--
 tests/lib/Security/CSRF/CsrfTokenTest.php        | 8 ++++++--
 2 files changed, 12 insertions(+), 4 deletions(-)

(limited to 'tests')

diff --git a/tests/lib/Security/CSRF/CsrfTokenManagerTest.php b/tests/lib/Security/CSRF/CsrfTokenManagerTest.php
index 6f7842fdfd9..f9dd8127e5a 100644
--- a/tests/lib/Security/CSRF/CsrfTokenManagerTest.php
+++ b/tests/lib/Security/CSRF/CsrfTokenManagerTest.php
@@ -137,15 +137,19 @@ class CsrfTokenManagerTest extends \Test\TestCase {
 	}
 
 	public function testIsTokenValidWithValidToken() {
+		$a = 'abc';
+		$b = 'def';
+		$xorB64 = 'BQcF';
+		$tokenVal = sprintf('%s:%s', $xorB64, base64_encode($a));
 		$this->storageInterface
 				->expects($this->once())
 				->method('hasToken')
 				->willReturn(true);
-		$token = new \OC\Security\CSRF\CsrfToken('XlQhHjgWCgBXAEI0Khl+IQEiCXN2LUcDHAQTQAc1HQs=:qgkUlg8l3m8WnkOG4XM9Az33pAt1vSVMx4hcJFsxdqc=');
+		$token = new \OC\Security\CSRF\CsrfToken($tokenVal);
 		$this->storageInterface
 				->expects($this->once())
 				->method('getToken')
-				->willReturn('/3JKTq2ldmzcDr1f5zDJ7Wt0lEgqqfKF');
+				->willReturn($b);
 
 		$this->assertSame(true, $this->csrfTokenManager->isTokenValid($token));
 	}
diff --git a/tests/lib/Security/CSRF/CsrfTokenTest.php b/tests/lib/Security/CSRF/CsrfTokenTest.php
index d19d1de916c..fbb92cd315a 100644
--- a/tests/lib/Security/CSRF/CsrfTokenTest.php
+++ b/tests/lib/Security/CSRF/CsrfTokenTest.php
@@ -36,7 +36,11 @@ class CsrfTokenTest extends \Test\TestCase {
 	}
 
 	public function testGetDecryptedValue() {
-		$csrfToken = new \OC\Security\CSRF\CsrfToken('XlQhHjgWCgBXAEI0Khl+IQEiCXN2LUcDHAQTQAc1HQs=:qgkUlg8l3m8WnkOG4XM9Az33pAt1vSVMx4hcJFsxdqc=');
-		$this->assertSame('/3JKTq2ldmzcDr1f5zDJ7Wt0lEgqqfKF', $csrfToken->getDecryptedValue());
+		$a = 'abc';
+		$b = 'def';
+		$xorB64 = 'BQcF';
+		$tokenVal = sprintf('%s:%s', $xorB64, base64_encode($a));
+		$csrfToken = new \OC\Security\CSRF\CsrfToken($tokenVal);
+		$this->assertSame($b, $csrfToken->getDecryptedValue());
 	}
 }
-- 
cgit v1.2.3