Skip to content
This repository was archived by the owner on Jan 31, 2020. It is now read-only.

Commit c1bed80

Browse files
committed
Merge pull request #212 from Saeven/master
CSRF shouldn't throw PHP errors when it receives non-string input
2 parents b327118 + 9e13e74 commit c1bed80

File tree

2 files changed

+11
-2
lines changed

2 files changed

+11
-2
lines changed

src/Csrf.php

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -116,7 +116,11 @@ public function __construct($options = [])
116116
*/
117117
public function isValid($value, $context = null)
118118
{
119-
$this->setValue((string) $value);
119+
if (! is_string($value) ){
120+
return false;
121+
}
122+
123+
$this->setValue($value);
120124

121125
$tokenId = $this->getTokenIdFromHash($value);
122126
$hash = $this->getValidationToken($tokenId);

test/CsrfTest.php

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -267,6 +267,11 @@ public function testCanValidateHasheWithoutId()
267267
$this->assertTrue($this->validator->isValid($bareToken));
268268
}
269269

270+
public function testCanRejectArrayValues()
271+
{
272+
$this->assertFalse($this->validator->isValid([]));
273+
}
274+
270275
public function fakeValuesDataProvider()
271276
{
272277
return [
@@ -277,7 +282,7 @@ public function fakeValuesDataProvider()
277282
['fakeTokenId'],
278283
[md5(uniqid()) . '-'],
279284
[md5(uniqid()) . '-' . md5(uniqid())],
280-
['-' . md5(uniqid())]
285+
['-' . md5(uniqid())],
281286
];
282287
}
283288

0 commit comments

Comments
 (0)