Major Description
I found another double decoding of the security token in php shindig, which is still there in the current revision (see SHINDIG-966):
— - 2010-08-09 16:35:38.000000000 +0200
+++ php/src/gadgets/GadgetContext.php 2010-07-30 13:46:20.000000000 +0200
@@ -285,9 +285,6 @@
- @return SecurityToken An object representation of the token data.
*/
public function validateToken($token, $signer) {
- if (count(explode(':', $token)) < 7)
{
- $token = urldecode(base64_decode($token));
- }
if (empty($token))
{ throw new Exception("Missing or invalid security token"); }