Default to an empty string when validating the signature hash query p…

…arameter (#23721)
laravel · Mar 28, 2018 · 30d2f7f · 30d2f7f
1 parent 13f732e
commit 30d2f7f
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 1 deletion.
diff --git a/src/Illuminate/Routing/UrlGenerator.php b/src/Illuminate/Routing/UrlGenerator.php
@@ -347,7 +347,7 @@ public function hasValidSignature(Request $request)
 
         $signature = hash_hmac('sha256', $original, call_user_func($this->keyResolver));
 
-        return  hash_equals($signature, $request->query('signature')) &&
+        return  hash_equals($signature, $request->query('signature', '')) &&
                ! ($expires && Carbon::now()->getTimestamp() > $expires);
     }
 

diff --git a/tests/Integration/Routing/UrlSigningTest.php b/tests/Integration/Routing/UrlSigningTest.php
@@ -39,6 +39,15 @@ public function test_temporary_signed_urls()
         $this->assertEquals('invalid', $this->get($url)->original);
     }
 
+    public function test_signed_url_with_url_without_signature_parameter()
+    {
+        Route::get('/foo/{id}', function (Request $request, $id) {
+            return $request->hasValidSignature() ? 'valid' : 'invalid';
+        })->name('foo');
+
+        $this->assertEquals('invalid', $this->get('/foo/1')->original);
+    }
+
     public function test_signed_middleware()
     {
         Route::get('/foo/{id}', function (Request $request, $id) {