yii2: Empy string in _csrf causes a problem
I’m not sure if this is a bug, but anyway, if in _csrf an empty string is written, if causes a 500: First parameter ($length) must be greater than 0 in yiisoft/yii2/base/Security.php:462, without regenerate token.
if ($this->_csrfToken === null || $regenerate) {
if ($regenerate || ($token = $this->loadCsrfToken()) === null) { // here token not generated and empty string write in $token
$token = $this->generateCsrfToken();
}
$this->_csrfToken = Yii::$app->security->maskToken($token); // here in falls with 500 on generateRandomKey(0)
}
What steps will reproduce the problem?
Write in _csrf string “”
What is the expected result?
Regenerate token
What do you get instead?
Invalid Parameter – yii\base\InvalidParamException
Additional info
| Q | A |
|---|---|
| Yii version | 2.0.13.1 |
| PHP version | 7.1.10 |
| Operating system | Linux 9ab5b593e8ae 3.10.0-327.13.1.el7.x86_64 #1 SMP Thu Mar 31 16:04:38 UTC 2016 x86_64 |
| – |
About this issue
- Original URL
- State: closed
- Created 7 years ago
- Comments: 17 (14 by maintainers)
Commits related to this issue
- Fixes #15317: Regenerate CSRF token if an empty value is given — committed to yiisoft/yii2 by SamMousa 7 years ago
CSRF is not really my area. Who was it that gave us the masking algorithm not long ago?
Is it an option to test for this condition and throw an exception? Is there a valid reason to use empty string as CSRF token? It seems to me that an empty string does not qualify as any kind of a token.
@samdark I’ve fixed the issue without changing the Security component, the discussion about masking / unmasking can then be tabled or continued separately, whichever you prefer!
that makes sense to me
Not in the security class since it’s general masking not specific to CSRF tokens. It does not make sense to mask empty token but it may make sense for other token type.