prevent timing attacks in digest auth listener

xabbuh · fabpot · commit ae55dcd67d5f · 2015-11-23T11:02:49.000+01:00
diff --git a/Extension/Csrf/CsrfProvider/DefaultCsrfProvider.php b/Extension/Csrf/CsrfProvider/DefaultCsrfProvider.php
@@ -66,7 +66,7 @@ public function isCsrfTokenValid($intention, $token)
             return StringUtils::equals($expectedToken, $token);
         }
 
-        return $token === $this->generateCsrfToken($intention);
+        return $token === $expectedToken;
     }
 
     /**

Original file line number	Diff line number	Diff line change
`@@ -66,7 +66,7 @@ public function isCsrfTokenValid($intention, $token)`
`66`	`66`	`return StringUtils::equals($expectedToken, $token);`
`67`	`67`	`}`
`68`	`68`
`69`		`- return $token === $this->generateCsrfToken($intention);`
	`69`	`+ return $token === $expectedToken;`
`70`	`70`	`}`
`71`	`71`
`72`	`72`	`/**`