From 387c1ec393f5761a55461bb7ad1ccb473874d513 Mon Sep 17 00:00:00 2001
From: "Edward Z. Yang" <ezyang@mit.edu>
Date: Tue, 31 Jan 2012 15:46:46 -0500
Subject: [PATCH] Don't clobber the secret global, use the right variable.
 Reported by Whitney Beck.

Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
---
 csrf-magic.php | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/csrf-magic.php b/csrf-magic.php
index d8697e5..f218cd2 100644
--- a/csrf-magic.php
+++ b/csrf-magic.php
@@ -348,12 +348,12 @@ function csrf_get_secret() {
  * Generates a random string as the hash of time, microtime, and mt_rand.
  */
 function csrf_generate_secret($len = 32) {
-    $secret = '';
+    $r = '';
     for ($i = 0; $i < 32; $i++) {
-        $secret .= chr(mt_rand(0, 255));
+        $r .= chr(mt_rand(0, 255));
     }
-    $secret .= time() . microtime();
-    return sha1($secret);
+    $r .= time() . microtime();
+    return sha1($r);
 }
 
 /**
@@ -362,7 +362,7 @@ function csrf_generate_secret($len = 32) {
  */
 function csrf_hash($value, $time = null) {
     if (!$time) $time = time();
-    return sha1($secret . $value . $time) . ',' . $time;
+    return sha1($GLOBALS['csrf']['secret'] . $value . $time) . ',' . $time;
 }
 
 // Load user configuration
-- 
2.11.4.GIT