Fixed CSRF token masking issue.

4b569f3e · Qiang Xue · eb4385d4 · 4b569f3e
Commit 4b569f3e authored Dec 27, 2013 by Qiang Xue
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 2 deletions

Request.php framework/yii/web/Request.php +3 -2

No files found.
--- a/framework/yii/web/Request.php
+++ b/framework/yii/web/Request.php
@@ -1039,7 +1039,8 @@ class Request extends \yii\base\Request
 		if ($this->_maskedCsrfToken === null) {
 			$token = $this->getCsrfToken();
 			$mask = Security::generateRandomKey(self::CSRF_MASK_LENGTH);
-			$this->_maskedCsrfToken = base64_encode($mask . $this->xorTokens($token, $mask));
+			// The + sign may be decoded as blank space later, which will fail the validation
+			$this->_maskedCsrfToken = str_replace('+', '.', base64_encode($mask . $this->xorTokens($token, $mask)));
 		}
 		return $this->_maskedCsrfToken;
 	}
@@ -1120,7 +1121,7 @@ class Request extends \yii\base\Request

 	private function validateCsrfTokenInternal($token, $trueToken)
 	{
-		$token = base64_decode($token);
+		$token = str_replace('.', '+', base64_decode($token));
 		$n = StringHelper::byteLength($token);
 		if ($n <= self::CSRF_MASK_LENGTH) {
 			return false;