Commit 329c020e authored by catch's avatar catch

Issue #2822499 by klausi: CsrfTokenGenerator should use timing attack safe string comparison

parent 5112179b
......@@ -54,7 +54,7 @@ public function access(Route $route, Request $request, RouteMatchInterface $rout
$path = str_replace("{{$param}}", $value, $path);
}
if ($this->csrfToken->validate($request->query->get('token'), $path)) {
if ($this->csrfToken->validate($request->query->get('token', ''), $path)) {
$result = AccessResult::allowed();
}
else {
......
......@@ -87,7 +87,7 @@ public function validate($token, $value = '') {
return FALSE;
}
return $token === $this->computeToken($seed, $value);
return Crypt::hashEquals($this->computeToken($seed, $value), $token);
}
/**
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment