From ed82472c6a122ee33462ef6ebaba6daa22f1df35 Mon Sep 17 00:00:00 2001
From: "Edward Z. Yang" <ezyang@cs.stanford.edu>
Date: Thu, 24 Jul 2014 10:40:21 +0100
Subject: [PATCH] Use an HMAC.

Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
---
 NEWS.txt       | 4 ++++
 csrf-magic.php | 7 ++++++-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/NEWS.txt b/NEWS.txt
index a8bf21c..093b0aa 100644
--- a/NEWS.txt
+++ b/NEWS.txt
@@ -8,6 +8,10 @@
     - In some server environments, IP address was not being detected
       properly.  Thanks Bianka Martinovic for reporting.
 
+  [SECURITY FIXES]
+
+    - Hashing now uses an HMAC to prevent length extension attacks.
+
 1.0.4 released 2013-07-17
 
   [SECURITY FIXES]
diff --git a/csrf-magic.php b/csrf-magic.php
index bdbc612..227bf93 100644
--- a/csrf-magic.php
+++ b/csrf-magic.php
@@ -392,7 +392,12 @@ function csrf_generate_secret($len = 32) {
  */
 function csrf_hash($value, $time = null) {
     if (!$time) $time = time();
-    return sha1(csrf_get_secret() . $value . $time) . ',' . $time;
+    if (function_exists("hash_hmac")) {
+        return hash_hmac('sha1', $time . ':' . $value, csrf_get_secret()) . ',' . $time;
+    } else {
+        $secret = csrf_get_secret();
+        return sha1($secret . sha1($secret . $time . ':' . $value)) . ',' . $time;
+    }
 }
 
 // Load user configuration
-- 
2.11.4.GIT