Merge pull request #4 from bhavinrshah/SEC-3052

theorchard · Jul 16, 2019 · 5ee4198 · 5ee4198
2 parents f66ecd4 + e37f6e0
commit 5ee4198
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 12 deletions.
diff --git a/libs/csrf/csrfprotector.php b/libs/csrf/csrfprotector.php
@@ -297,18 +297,13 @@ private static function getTokenFromRequest() {
         private static function isValidToken($token) {
             if (!isset($_SESSION[self::$config['CSRFP_TOKEN']])) return false;
             if (!is_array($_SESSION[self::$config['CSRFP_TOKEN']])) return false;
-            foreach ($_SESSION[self::$config['CSRFP_TOKEN']] as $key => $value) {
-                if ($value == $token) {
-
-                    // Clear all older tokens assuming they have been consumed
-                    foreach ($_SESSION[self::$config['CSRFP_TOKEN']] as $_key => $_value) {
-                        if ($_value == $token) break;
-                        array_shift($_SESSION[self::$config['CSRFP_TOKEN']]);
-                    }
+            // Clear match token from the session
+            foreach ($_SESSION[self::$config['CSRFP_TOKEN']] as $_key => $_value) {
+                if ($_value == $token) {
+                    unset($_SESSION[self::$config['CSRFP_TOKEN']][$_key]);
                     return true;
                 }
             }
-
             return false;
         }
 

diff --git a/test/csrfprotector_test.php b/test/csrfprotector_test.php
@@ -396,7 +396,7 @@ public function testAuthorisePost_success()
         $temp = $_SESSION[csrfprotector::$config['CSRFP_TOKEN']];
 
         csrfprotector::authorizePost(); //will create new session and cookies
-        $this->assertFalse($temp == $_SESSION[csrfprotector::$config['CSRFP_TOKEN']][0]);
+        $this->assertTrue(!isset($_SESSION[csrfprotector::$config['CSRFP_TOKEN']][0]));
         $this->assertTrue(csrfp_wrapper::checkHeader('Set-Cookie'));
         $this->assertTrue(csrfp_wrapper::checkHeader('csrfp_token'));
         // $this->assertTrue(csrfp_wrapper::checkHeader($_SESSION[csrfprotector::$config['CSRFP_TOKEN']][0]));  // Combine these 3 later
@@ -406,7 +406,7 @@ public function testAuthorisePost_success()
         csrfp_wrapper::changeRequestType('GET');
         $_POST[csrfprotector::$config['CSRFP_TOKEN']]
             = $_GET[csrfprotector::$config['CSRFP_TOKEN']]
-            = $_SESSION[csrfprotector::$config['CSRFP_TOKEN']][0];
+            = $_SESSION[csrfprotector::$config['CSRFP_TOKEN']][1];
         $temp = $_SESSION[csrfprotector::$config['CSRFP_TOKEN']];
 
         csrfprotector::authorizePost(); //will create new session and cookies
@@ -437,7 +437,7 @@ public function testAuthorisePost_success_2()
         $temp = $_SESSION[csrfprotector::$config['CSRFP_TOKEN']];
 
         csrfprotector::authorizePost(); //will create new session and cookies
-        $this->assertFalse($temp == $_SESSION[csrfprotector::$config['CSRFP_TOKEN']][0]);
+        $this->assertTrue(!isset($_SESSION[csrfprotector::$config['CSRFP_TOKEN']][0]));
         $this->assertTrue(csrfp_wrapper::checkHeader('Set-Cookie'));
         $this->assertTrue(csrfp_wrapper::checkHeader('csrfp_token'));
         // $this->assertTrue(csrfp_wrapper::checkHeader($_SESSION[csrfprotector::$config['CSRFP_TOKEN']][0]));  // Combine these 3 later