Merge pull request #212 from Saeven/master

CSRF shouldn't throw PHP errors when it receives non-string input

Author: weierophinney

src/Csrf.php

@@ -116,7 +116,11 @@ public function __construct($options = [])
      */
     public function isValid($value, $context = null)
     {
-        $this->setValue((string) $value);
+        if (! is_string($value) ){
+            return false;    
+        }
+        
+        $this->setValue($value);
 
         $tokenId = $this->getTokenIdFromHash($value);
         $hash = $this->getValidationToken($tokenId);

test/CsrfTest.php

@@ -267,6 +267,11 @@ public function testCanValidateHasheWithoutId()
         $this->assertTrue($this->validator->isValid($bareToken));
     }
 
+    public function testCanRejectArrayValues()
+    {
+        $this->assertFalse($this->validator->isValid([]));
+    }
+
     public function fakeValuesDataProvider()
     {
         return [
@@ -277,7 +282,7 @@ public function fakeValuesDataProvider()
             ['fakeTokenId'],
             [md5(uniqid()) . '-'],
             [md5(uniqid()) . '-' . md5(uniqid())],
-            ['-' . md5(uniqid())]
+            ['-' . md5(uniqid())],
         ];
     }