Merge pull request #372 from facebook/gFosco.csrf2

gfosco · gfosco · commit 8f65adc2cf74 · 2015-03-02T11:55:02.000-08:00
Updated FacebookRedirectLoginHelper and SignedRequest ...
diff --git a/src/Facebook/Entities/SignedRequest.php b/src/Facebook/Entities/SignedRequest.php
@@ -324,8 +324,18 @@ public static function validateSignature($hashedSig, $sig)
    */
   public static function validateCsrf(array $data, $state)
   {
-    if (isset($data['state']) && $data['state'] === $state) {
-      return;
+    if (isset($data['state'])) {
+      $savedLen = strlen($state);
+      $givenLen = strlen($data['state']);
+      if ($savedLen == $givenLen) {
+        $result = 0;
+        for ($i = 0; $i < $savedLen; $i++) {
+          $result |= ord($state[$i]) ^ ord($data['state'][$i]);
+        }
+        if ($result === 0) {
+          return;
+        }
+      }
     }
 
     throw new FacebookSDKException(
diff --git a/src/Facebook/FacebookRedirectLoginHelper.php b/src/Facebook/FacebookRedirectLoginHelper.php
@@ -203,8 +203,21 @@ public function getSessionFromRedirect()
    */
   protected function isValidRedirect()
   {
-    return $this->getCode() && isset($_GET['state'])
-        && $_GET['state'] == $this->state;
+    $savedState = $this->getCode();
+    if (!$this->getCode() || !isset($_GET['state'])) {
+      return false;
+    }
+    $givenState = $_GET['state'];
+    $savedLen = mb_strlen($savedState);
+    $givenLen = mb_strlen($givenState);
+    if ($savedLen !== $givenLen) {
+      return false;
+    }
+    $result = 0;
+    for ($i = 0; $i < $savedLen; $i++) {
+      $result |= ord($savedState[$i]) ^ ord($givenState[$i]);
+    }
+    return $result === 0;
   }
 
   /**
