xsrftoken: create no padding base64 string by RawURLEncoding

The XSRF token generation function creates the padded base64 string by base64.URLEncoding, then removes the padding. It is equivalent to the base64.RawURLEncoding but with more costs. Change-Id: I9cf5ad94e9cf3dca9bbfc1b6818ab07d41acf417 GitHub-Last-Rev: a8263b543c GitHub-Pull-Request: golang/net#217 Reviewed-on: https://go-review.googlesource.com/c/net/+/599895 Reviewed-by: Ian Lance Taylor <iant@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Damien Neil <dneil@google.com> Auto-Submit: Ian Lance Taylor <iant@google.com> Commit-Queue: Damien Neil <dneil@google.com> Commit-Queue: Ian Lance Taylor <iant@google.com>
2026-03-31 18:37:08 +09:00 · 2024-07-22 03:20:41 +00:00
parent 032e4e4358
commit 765c7e89b3
1 changed files with 2 additions and 3 deletions
--- a/xsrftoken/xsrf.go
+++ b/xsrftoken/xsrf.go
@@ -45,10 +45,9 @@ func generateTokenAtTime(key, userID, actionID string, now time.Time) string {
 	h := hmac.New(sha1.New, []byte(key))
 	fmt.Fprintf(h, "%s:%s:%d", clean(userID), clean(actionID), milliTime)

-	// Get the padded base64 string then removing the padding.
+	// Get the no padding base64 string.
 	tok := string(h.Sum(nil))
-	tok = base64.URLEncoding.EncodeToString([]byte(tok))
-	tok = strings.TrimRight(tok, "=")
+	tok = base64.RawURLEncoding.EncodeToString([]byte(tok))

 	return fmt.Sprintf("%s:%d", tok, milliTime)
 }