From 800c39c8d71f0e0afa146ffc7b4675a630b27450 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Kristoffer=20H=C3=B6gberg?= <krihog@gmail.com>
Date: Wed, 28 Mar 2018 11:39:32 +0200
Subject: [PATCH] Default to an empty string when validating the signature hash
 query parameter

---
 src/Illuminate/Routing/UrlGenerator.php      | 2 +-
 tests/Integration/Routing/UrlSigningTest.php | 9 +++++++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/Illuminate/Routing/UrlGenerator.php b/src/Illuminate/Routing/UrlGenerator.php
index 714e74ceea90..7c7a417ed20e 100755
--- a/src/Illuminate/Routing/UrlGenerator.php
+++ b/src/Illuminate/Routing/UrlGenerator.php
@@ -347,7 +347,7 @@ public function hasValidSignature(Request $request)
 
         $signature = hash_hmac('sha256', $original, call_user_func($this->keyResolver));
 
-        return  hash_equals($signature, $request->query('signature')) &&
+        return  hash_equals($signature, $request->query('signature', '')) &&
                ! ($expires && Carbon::now()->getTimestamp() > $expires);
     }
 
diff --git a/tests/Integration/Routing/UrlSigningTest.php b/tests/Integration/Routing/UrlSigningTest.php
index 824fdf05d55b..d2e099aabc2d 100644
--- a/tests/Integration/Routing/UrlSigningTest.php
+++ b/tests/Integration/Routing/UrlSigningTest.php
@@ -39,6 +39,15 @@ public function test_temporary_signed_urls()
         $this->assertEquals('invalid', $this->get($url)->original);
     }
 
+    public function test_signed_url_with_url_without_signature_parameter()
+    {
+        Route::get('/foo/{id}', function (Request $request, $id) {
+            return $request->hasValidSignature() ? 'valid' : 'invalid';
+        })->name('foo');
+
+        $this->assertEquals('invalid', $this->get('/foo/1')->original);
+    }
+
     public function test_signed_middleware()
     {
         Route::get('/foo/{id}', function (Request $request, $id) {