Merge branch 'hotfix/212'

Close #212

Author: weierophinney

CHANGELOG.md

@@ -39,6 +39,10 @@ All notable changes to this project will be documented in this file, in reverse
   missing `GpsPoint` validator entries to the `ValidatorPluginManager`, ensuring
   they may be retrieved from it correctly.
 
+- [#212](https://github.com/zendframework/zend-validator/pull/212) updates the
+  `CSRF` validator to automatically mark any non-string values as invalid,
+  preventing errors such as array to string conversion.
+
 ## 2.10.1 - 2017-08-22
 
 ### Added

src/Csrf.php

@@ -116,7 +116,11 @@ public function __construct($options = [])
      */
     public function isValid($value, $context = null)
     {
-        $this->setValue((string) $value);
+        if (! is_string($value)) {
+            return false;
+        }
+
+        $this->setValue($value);
 
         $tokenId = $this->getTokenIdFromHash($value);
         $hash = $this->getValidationToken($tokenId);

test/CsrfTest.php

@@ -267,6 +267,11 @@ public function testCanValidateHasheWithoutId()
         $this->assertTrue($this->validator->isValid($bareToken));
     }
 
+    public function testCanRejectArrayValues()
+    {
+        $this->assertFalse($this->validator->isValid([]));
+    }
+
     public function fakeValuesDataProvider()
     {
         return [
@@ -277,7 +282,7 @@ public function fakeValuesDataProvider()
             ['fakeTokenId'],
             [md5(uniqid()) . '-'],
             [md5(uniqid()) . '-' . md5(uniqid())],
-            ['-' . md5(uniqid())]
+            ['-' . md5(uniqid())],
         ];
     }