Merge pull request #212 from Saeven/master

CSRF shouldn't throw PHP errors when it receives non-string input
zendframework · Feb 1, 2018 · c1bed80 · c1bed80
2 parents b327118 + 9e13e74
commit c1bed80
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 2 deletions.
diff --git a/src/Csrf.php b/src/Csrf.php
@@ -116,7 +116,11 @@ public function __construct($options = [])
      */
     public function isValid($value, $context = null)
     {
-        $this->setValue((string) $value);
+        if (! is_string($value) ){
+            return false;    
+        }
+
+        $this->setValue($value);
 
         $tokenId = $this->getTokenIdFromHash($value);
         $hash = $this->getValidationToken($tokenId);

diff --git a/test/CsrfTest.php b/test/CsrfTest.php
@@ -267,6 +267,11 @@ public function testCanValidateHasheWithoutId()
         $this->assertTrue($this->validator->isValid($bareToken));
     }
 
+    public function testCanRejectArrayValues()
+    {
+        $this->assertFalse($this->validator->isValid([]));
+    }
+
     public function fakeValuesDataProvider()
     {
         return [
@@ -277,7 +282,7 @@ public function fakeValuesDataProvider()
             ['fakeTokenId'],
             [md5(uniqid()) . '-'],
             [md5(uniqid()) . '-' . md5(uniqid())],
-            ['-' . md5(uniqid())]
+            ['-' . md5(uniqid())],
         ];
     }