use config.php as CSRF salt

2010-09-22 13:20:08 +01:00 · 2010-09-22 13:20:08 +01:00 · dfef932463
commit dfef932463
parent 1e04df7765
4 changed files with 6 additions and 5 deletions
--- a/core/user.class.php
+++ b/core/user.class.php
@ -168,8 +168,9 @@ class User {
 	 */
 	public function get_auth_token() {
 		global $config;
+		$salt = file_get_contents("config.php");
 		$addr = get_session_ip($config);
-		return md5(md5($this->passhash . $addr) . "salty-csrf");
+		return md5(md5($this->passhash . $addr) . "salty-csrf-" . $salt);
 	}

 	public function get_auth_html() {
--- a/core/util.inc.php
+++ b/core/util.inc.php
@ -226,7 +226,7 @@ function make_form($target, $method="POST", $multipart=False) {
 	$auth = $user->get_auth_html();
 	$extra = "";
 	if($multipart) {
-		$extra .= " enctype='multipart/form-data'"
+		$extra .= " enctype='multipart/form-data'";
 	}
 	return "<form action='$target' method='$method'$extra>$auth";
 }
--- a/ext/alias_editor/theme.php
+++ b/ext/alias_editor/theme.php
@ -60,7 +60,7 @@ class AliasEditorTheme extends Themelet {
 		";

 		$bulk_html = "
-			".make_form(make_link("alias/import"), multipart=True)."
+			".make_form(make_link("alias/import"), $multipart=True)."
 				<input type='file' name='alias_file'>
 				<input type='submit' value='Upload List'>
 			</form>
--- a/ext/upload/theme.php
+++ b/ext/upload/theme.php
@ -50,7 +50,7 @@ class UploadTheme extends Themelet {
 				});
 			});
 			</script>
-			".make_form(make_link("upload"), multipart=True)."
+			".make_form(make_link("upload"), $multipart=True)."
 				<table id='large_upload_form'>
 					$upload_list
 					<tr><td>Tags</td><td colspan='3'><input id='tag_box' name='tags' type='text'></td></tr>
@ -120,7 +120,7 @@ class UploadTheme extends Themelet {
 				});
 			});
 			</script>
-			".make_form(make_link("upload"), multipart=True)."
+			".make_form(make_link("upload"), $multipart=True)."
 				$upload_list
 				<input id='tag_input' name='tags' type='text' autocomplete='off'>
 				<input type='submit' value='Post'>