Always use length of database link_token for token validation

[MAILPOET-2364]
2019-09-17 14:32:45 +02:00
parent 2b02d22232
commit 09db91bc33
2 changed files with 17 additions and 2 deletions
--- a/lib/Models/Subscriber.php
+++ b/lib/Models/Subscriber.php
@ -138,10 +138,12 @@ class Subscriber extends Model {
  }

  function verifyToken($token) {
+    $database_token = $this->getLinkToken();
+    $request_token = substr($token, 0, strlen($database_token));
    return call_user_func(
      'hash_equals',
-      $this->getLinkToken(),
-      $token
+      $database_token,
+      $request_token
    );
  }