[TYPO3-core] RFC: #17490: After introducing the locking in #17289 no CSRF token will ever be deleted.
Helmut Hummel
helmut.hummel at typo3.org
Sat Feb 5 17:51:16 CET 2011
Hi,
On 05.02.11 05:26, Jigal van Hemert wrote:
> On 5-2-2011 0:30, Helmut Hummel wrote:
>
> Nitpicking, can't we simplify:
>
> 200» » $this->tokens·=·array_merge($tokens,·$this->addedTokens);
> 201» » foreach·($this->droppedTokenIds·as·$tokenId)·{
> 202» » » unset($this->tokens[$tokenId]);
> 203» » }
>
> to:
>
> $this->tokens = array_diff_key(
> array_merge($tokens, $this->addedTokens),
> $this->droppedTokenIds
> );
Not exactly, because $this->droppedTokenIds contains the token ids as
value not as keys. But this can be changed easily of course.
Nevertheless, it depends what you mean with simplify. I don't think it's
more readable, than the foreach code.
Additionally these array functions are often very expensive performance
wise. For this case it means that the foreach variant is faster up to 3
dropped tokens.
Currently typically only one token is validated during one request, but
of course it could be more if the maximum amount of tokens are reached
and a lot more tokens need to be dropped.
So I'm fine with changing it to use array_diff, if you insist.
Kind regards,
Helmut
--
Helmut Hummel
TYPO3 Security Team Leader
TYPO3 .... inspiring people to share!
Get involved: typo3.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: foreach_vs_array_diff.php
Type: text/php
Size: 1480 bytes
Desc: not available
URL: <http://lists.typo3.org/pipermail/typo3-team-core/attachments/20110205/2510a181/attachment.bin>
More information about the TYPO3-team-core
mailing list