Changeset View
Changeset View
Standalone View
Standalone View
src/applications/auth/factor/PhabricatorAuthFactor.php
Show First 20 Lines • Show All 407 Lines • ▼ Show 20 Lines | final protected function loadMFASyncToken( | ||||
// provide a known key for factors like TOTP. | // provide a known key for factors like TOTP. | ||||
// (We store and verify the hash of the key, not the key itself, to limit | // (We store and verify the hash of the key, not the key itself, to limit | ||||
// how useful the data in the table is to an attacker.) | // how useful the data in the table is to an attacker.) | ||||
$sync_type = PhabricatorAuthMFASyncTemporaryTokenType::TOKENTYPE; | $sync_type = PhabricatorAuthMFASyncTemporaryTokenType::TOKENTYPE; | ||||
$sync_token = null; | $sync_token = null; | ||||
$sync_key = $request->getStr($this->getMFASyncTokenFormKey()); | $sync_key = $request->getStr($this->getMFASyncTokenFormKey(), ''); | ||||
if (strlen($sync_key)) { | if ($sync_key !== '') { | ||||
$sync_key_digest = PhabricatorHash::digestWithNamedKey( | $sync_key_digest = PhabricatorHash::digestWithNamedKey( | ||||
valerio.bozzolan: ✅ I verified the above line
The method `AphrontRequest::getStr($something, '')` assures that… | |||||
$sync_key, | $sync_key, | ||||
PhabricatorAuthMFASyncTemporaryTokenType::DIGEST_KEY); | PhabricatorAuthMFASyncTemporaryTokenType::DIGEST_KEY); | ||||
$sync_token = id(new PhabricatorAuthTemporaryTokenQuery()) | $sync_token = id(new PhabricatorAuthTemporaryTokenQuery()) | ||||
->setViewer($user) | ->setViewer($user) | ||||
->withTokenResources(array($user->getPHID())) | ->withTokenResources(array($user->getPHID())) | ||||
->withTokenTypes(array($sync_type)) | ->withTokenTypes(array($sync_type)) | ||||
->withExpired(false) | ->withExpired(false) | ||||
▲ Show 20 Lines • Show All 200 Lines • Show Last 20 Lines |
Content licensed under Creative Commons Attribution-ShareAlike 4.0 (CC-BY-SA) unless otherwise noted; code licensed under Apache 2.0 or other open source licenses. · CC BY-SA 4.0 · Apache 2.0
✅ I verified the above line
The method AphrontRequest::getStr($something, '') assures that we only receive something that is never null. Since internally it does an isset() lookup against the potentially returned value, excluding null.