Fixes #1634: Use masked CSRF tokens to prevent BREACH exploits

2025-11-27 04:10:30 +08:00 · 2013-12-26 17:51:14 -05:00
parent 2686403c0e
commit c8960168c5
4 changed files with 60 additions and 3 deletions
--- a/framework/yii/web/View.php
+++ b/framework/yii/web/View.php
@@ -388,7 +388,7 @@ class View extends \yii\base\View
 		$request = Yii::$app->getRequest();
 		if ($request instanceof \yii\web\Request && $request->enableCsrfValidation) {
 			$lines[] = Html::tag('meta', '', ['name' => 'csrf-var', 'content' => $request->csrfVar]);
-			$lines[] = Html::tag('meta', '', ['name' => 'csrf-token', 'content' => $request->getCsrfToken()]);
+			$lines[] = Html::tag('meta', '', ['name' => 'csrf-token', 'content' => $request->getMaskedCsrfToken()]);
 		}

 		if (!empty($this->linkTags)) {