[cvs] commit: framework/Token Token.php
Chuck Hagenbuch
chuck at horde.org
Mon Nov 24 19:37:52 UTC 2008
Quoting Michael M Slusarz <slusarz at horde.org>:
> slusarz 2008-11-24 14:05:42 EST
>
> Modified files:
> Token Token.php
> Log:
> Not sure if I am missing something here, but revision 1.52 broke token
> checking in two places: 1) the value was being B64 encoded but then never
> being B64 decoded later, and 2) sha1 returns a 40-byte code but the
> SQL schema only allows 32-byte IDs. Go back to using md5() and
> decode token
> when verifying, but I'm not sure this is what was originally
> intended (although
> it makes it possible for me to send messages in IMP again).
I had not been having trouble, so I'm not sure what's going on here.
For one thing, the decoding is unnecessary; the token should be stored
encoded. The encoding is to take the raw binary output (the 2nd
argument of "true" to sha1, which you're also passing to md5 now) and
make it ascii. Using raw sha1 output + uriB64Encode should result in a
27-character long token, which fits just fine in the db field.
Also, you get an error if the token has been used before, so decoding
shouldn't matter.
-chuck
More information about the cvs
mailing list