Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit 8b3d42f

Browse filesBrowse files
tvlooytvlooy
committed
Fix division by zero
1 parent 8d028be commit 8b3d42f
Copy full SHA for 8b3d42f

File tree

2 files changed

+23
-0
lines changed
Filter options

2 files changed

+23
-0
lines changed

‎src/Symfony/Component/Security/Csrf/CsrfTokenManager.php

Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Csrf/CsrfTokenManager.php
+3Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -134,6 +134,9 @@ private function derandomize(string $value): string
134134
return $value;
135135
}
136136
$key = base64_decode(strtr($parts[1], '-_', '+/'));
137+
if (0 === \strlen($key)) {
138+
return $value;
139+
}
137140
$value = base64_decode(strtr($parts[2], '-_', '+/'));
138141

139142
return $this->xor($value, $key);

‎src/Symfony/Component/Security/Csrf/Tests/CsrfTokenManagerTest.php

Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Csrf/Tests/CsrfTokenManagerTest.php
+20Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -193,6 +193,26 @@ public function testNonExistingTokenIsNotValid($namespace, $manager, $storage)
193193
$this->assertFalse($manager->isTokenValid(new CsrfToken('token_id', 'FOOBAR')));
194194
}
195195

196+
public function testTokenShouldNotTriggerDivisionByZero()
197+
{
198+
[$generator, $storage] = $this->getGeneratorAndStorage();
199+
$manager = new CsrfTokenManager($generator, $storage);
200+
201+
// Scenario: the token that was returned is abc.def.ghi, and gets modified in the browser to abc..ghi
202+
203+
$storage->expects($this->once())
204+
->method('hasToken')
205+
->with('https-token_id')
206+
->willReturn(true);
207+
208+
$storage->expects($this->once())
209+
->method('getToken')
210+
->with('https-token_id')
211+
->willReturn('def');
212+
213+
$this->assertFalse($manager->isTokenValid(new CsrfToken('token_id', 'abc..ghi')));
214+
}
215+
196216
/**
197217
* @dataProvider getManagerGeneratorAndStorage
198218
*/

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.