-
Martin Probst authored
Passing a zero length key (or secret) gives no safety against XSRF attacks. This is a relatively easy mistake to make, e.g. by passing `make([]byte, 0, 1024)` to `rand.Read` instead of `make([]byte, 1024)`, and currently fails open, silently. This uses panic, as the API does not allow returning a structured error, and catching this programming error is not worth breaking API compatibility. Passing a zero length secret is also not an error condition that API callers would handle, so there is little value in returning a proper error. Change-Id: Ib6457347675872188d51d2a220eee4b67900f79e Reviewed-on: https://go-review.googlesource.com/42411Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
0819898f
Name |
Last commit
|
Last update |
---|---|---|
.. | ||
xsrf.go | ||
xsrf_test.go |