|
21 | 21 | use Config\Cookie as CookieConfig; |
22 | 22 | use Config\Security as SecurityConfig; |
23 | 23 | use Config\Services; |
| 24 | +use ErrorException; |
| 25 | +use InvalidArgumentException; |
24 | 26 | use LogicException; |
25 | 27 |
|
26 | 28 | /** |
@@ -278,8 +280,13 @@ public function verify(RequestInterface $request) |
278 | 280 | } |
279 | 281 |
|
280 | 282 | $postedToken = $this->getPostedToken($request); |
281 | | - $token = ($postedToken !== null && $this->tokenRandomize) |
282 | | - ? $this->derandomize($postedToken) : $postedToken; |
| 283 | + |
| 284 | + try { |
| 285 | + $token = ($postedToken !== null && $this->tokenRandomize) |
| 286 | + ? $this->derandomize($postedToken) : $postedToken; |
| 287 | + } catch (InvalidArgumentException $e) { |
| 288 | + $token = null; |
| 289 | + } |
283 | 290 |
|
284 | 291 | // Do the tokens match? |
285 | 292 | if (! isset($token, $this->hash) || ! hash_equals($this->hash, $token)) { |
@@ -359,13 +366,20 @@ protected function randomize(string $hash): string |
359 | 366 |
|
360 | 367 | /** |
361 | 368 | * Derandomize the token. |
| 369 | + * |
| 370 | + * @throws InvalidArgumentException "hex2bin(): Hexadecimal input string must have an even length" |
362 | 371 | */ |
363 | 372 | protected function derandomize(string $token): string |
364 | 373 | { |
365 | 374 | $key = substr($token, -static::CSRF_HASH_BYTES * 2); |
366 | 375 | $value = substr($token, 0, static::CSRF_HASH_BYTES * 2); |
367 | 376 |
|
368 | | - return bin2hex(hex2bin($value) ^ hex2bin($key)); |
| 377 | + try { |
| 378 | + return bin2hex(hex2bin($value) ^ hex2bin($key)); |
| 379 | + } catch (ErrorException $e) { |
| 380 | + // "hex2bin(): Hexadecimal input string must have an even length" |
| 381 | + throw new InvalidArgumentException($e->getMessage()); |
| 382 | + } |
369 | 383 | } |
370 | 384 |
|
371 | 385 | /** |
|
0 commit comments