AS1024/Kanboard-Prod
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Use a HMAC to sign and validate CSRF tokens, instead of generating random ones and storing them in the session data

Browse Source 
* Use a HMAC to sign and validate CSRF tokens, instead of generating random
ones and storing them in the session data. Reduces number of writes to
sessions table and fixes kanboard issue #4942.
* Added missing CSRF check for starting/stopping subtask timers.

Co-authored-by: Willemijn Coene <willemijn@irdc.nl>
This commit is contained in:
irdc
2022-09-18 02:23:41 +02:00
committed by GitHub
parent f68996b9c7
commit 4b76bc5b32
4 changed files with 84 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
tests/units/Core/Security/TokenTest.php
View File

@@ -20,10 +20,11 @@ class TokenTest extends Base
public function testCSRFTokens()
{
$token = new Token($this->container);
$t1 = $token->getCSRFToken();
$this->assertNotEmpty($t1);
$this->assertTrue($token->validateCSRFToken($t1));
$this->assertFalse($token->validateCSRFToken($t1));
$csrf = $token->getCSRFToken();
$this->assertTrue($token->validateCSRFToken($csrf));
$pcsrf = $token->getReusableCSRFToken();
$this->assertTrue($token->validateReusableCSRFToken($pcsrf));
}
}