feat: Add generate session token to CsrfTokenManager

CarlSchwan · susnux · commit e21b7d112198 · 2026-05-12T18:24:12.000+02:00
Signed-off-by: Carl Schwan &lt;carlschwan@kde.org&gt;
diff --git a/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php b/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php
@@ -196,7 +196,7 @@ public function beforeController($controller, $methodName) {
 			}
 		}
 		// CSRF check - also registers the CSRF token since the session may be closed later
-		Server::get(CsrfTokenManager::class)->getToken()->getEncryptedValue();
+		Server::get(CsrfTokenManager::class)->generateSessionToken();
 		if ($this->isInvalidCSRFRequired($reflectionMethod)) {
 			/*
 			 * Only allow the CSRF check to fail on OCS Requests. This kind of
diff --git a/lib/private/Security/CSRF/CsrfTokenManager.php b/lib/private/Security/CSRF/CsrfTokenManager.php
@@ -74,4 +74,8 @@ public function isTokenValid(CsrfToken $token): bool {
 			$token->getDecryptedValue()
 		);
 	}
+
+	public function generateSessionToken(): void {
+		$this->getToken();
+	}
 }
diff --git a/lib/public/Util.php b/lib/public/Util.php
@@ -449,7 +449,6 @@ public static function sanitizeHTML(string|array|null $value): string|array {
 				return htmlspecialchars((string)$value, ENT_QUOTES, 'UTF-8');
 			}, $value);
 		}
-		// Specify encoding for PHP<5.4
 		return htmlspecialchars((string)$value, ENT_QUOTES, 'UTF-8');
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -196,7 +196,7 @@ public function beforeController($controller, $methodName) {`
`196`	`196`	`}`
`197`	`197`	`}`
`198`	`198`	`// CSRF check - also registers the CSRF token since the session may be closed later`
`199`		`- Server::get(CsrfTokenManager::class)->getToken()->getEncryptedValue();`
	`199`	`+ Server::get(CsrfTokenManager::class)->generateSessionToken();`
`200`	`200`	`if ($this->isInvalidCSRFRequired($reflectionMethod)) {`
`201`	`201`	`/*`
`202`	`202`	`* Only allow the CSRF check to fail on OCS Requests. This kind of`
Original file line number	Diff line number	Diff line change
`@@ -74,4 +74,8 @@ public function isTokenValid(CsrfToken $token): bool {`
`74`	`74`	`$token->getDecryptedValue()`
`75`	`75`	`);`
`76`	`76`	`}`
	`77`	`+`
	`78`	`+ public function generateSessionToken(): void {`
	`79`	`+ $this->getToken();`
	`80`	`+ }`
`77`	`81`	`}`
Original file line number	Diff line number	Diff line change
`@@ -449,7 +449,6 @@ public static function sanitizeHTML(string\|array\|null $value): string\|array {`
`449`	`449`	`return htmlspecialchars((string)$value, ENT_QUOTES, 'UTF-8');`
`450`	`450`	`}, $value);`
`451`	`451`	`}`
`452`		`- // Specify encoding for PHP<5.4`
`453`	`452`	`return htmlspecialchars((string)$value, ENT_QUOTES, 'UTF-8');`
`454`	`453`	`}`
`455`	`454`