From 765c7e89b3bdd76bfc210acddd3ca73931eb8d1d Mon Sep 17 00:00:00 2001 From: ghosind Date: Mon, 22 Jul 2024 03:20:41 +0000 Subject: [PATCH] xsrftoken: create no padding base64 string by RawURLEncoding The XSRF token generation function creates the padded base64 string by base64.URLEncoding, then removes the padding. It is equivalent to the base64.RawURLEncoding but with more costs. Change-Id: I9cf5ad94e9cf3dca9bbfc1b6818ab07d41acf417 GitHub-Last-Rev: a8263b543cc3c779c7e20ba143994d638e3b7143 GitHub-Pull-Request: golang/net#217 Reviewed-on: https://go-review.googlesource.com/c/net/+/599895 Reviewed-by: Ian Lance Taylor LUCI-TryBot-Result: Go LUCI Reviewed-by: Damien Neil Auto-Submit: Ian Lance Taylor Commit-Queue: Damien Neil Commit-Queue: Ian Lance Taylor --- xsrftoken/xsrf.go | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/xsrftoken/xsrf.go b/xsrftoken/xsrf.go index 3ca5d5b9f..e808e6dd8 100644 --- a/xsrftoken/xsrf.go +++ b/xsrftoken/xsrf.go @@ -45,10 +45,9 @@ func generateTokenAtTime(key, userID, actionID string, now time.Time) string { h := hmac.New(sha1.New, []byte(key)) fmt.Fprintf(h, "%s:%s:%d", clean(userID), clean(actionID), milliTime) - // Get the padded base64 string then removing the padding. + // Get the no padding base64 string. tok := string(h.Sum(nil)) - tok = base64.URLEncoding.EncodeToString([]byte(tok)) - tok = strings.TrimRight(tok, "=") + tok = base64.RawURLEncoding.EncodeToString([]byte(tok)) return fmt.Sprintf("%s:%d", tok, milliTime) }