Describe the bug
When CSRF tokens are modified client-side, resolving token values with the Xor* implementations is not consistent:
- When the expected token (stored via
CsrfToken) is shorter than the provided token, a token of arbitrary length is resolved - When the expected token (stored via
CsrfToken) is longer than the provided token, anArrayIndexOutOfBoundsExceptionis thrown
Expected behavior
When CSRF tokens are modified client-side, resolving CSRF token values should be consistent:
- When the expected token is shorter than the provided token, the token should be resolved as
null - When the expected token is longer than the provided token, the token should be resolved as
null
Additionally, we should ensure the following edge cases are covered:
- When a single byte is added to the encoded token, the token should be resolved as
nulland noArrayIndexOutOfBoundsExceptionis thrown - When a single byte is removed from the encoded token, the token should be resolved as
nulland noArrayIndexOutOfBoundsExceptionis thrown
Context
This issue was originally reported via gh-13310 and partially resolved in 6.2.0.
Comment From: sjohnr
See this comment for more info.