Updated: Comment #N
Problem/Motivation
#2141041: CsrfTokenGenerator::validate() should do an identical compare added string casting to Crypt::hmacBase64(), this just masks a problem in calling code by brushing it under the carpet. base64_encode() can also accept any scalar values - these don't have to be strings. This function could easily be being passed something other than what you expect (and what it expects). This casting could also lead to some weird bugs in peoples code that they will find very difficult to debug.
Proposed resolution
Throw an exception if strings are not passed to this function.
Remaining tasks
patch, review, updated tests.
User interface changes
None
API changes
None, unless you are passing some other datatypes to Crypt::hmacBase64()!