From 9d2537f70d58b16aeba89779aaf1573b8d618e11 Mon Sep 17 00:00:00 2001
From: "Edward Z. Yang" <ezyang@mit.edu>
Date: Tue, 16 Jul 2013 23:22:26 -0700
Subject: [PATCH] Fix bug grabbing wrong secret, thanks sparticvs for
 reporting.

Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
---
 csrf-magic.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/csrf-magic.php b/csrf-magic.php
index f218cd2..16550c3 100644
--- a/csrf-magic.php
+++ b/csrf-magic.php
@@ -53,6 +53,8 @@ $GLOBALS['csrf']['rewrite-js'] = false;
  * will become invalid.
  */
 $GLOBALS['csrf']['secret'] = '';
+// nota bene: library code should use csrf_get_secret() and not access
+// this global directly
 
 /**
  * Set this to false to disable csrf-magic's output handler, and therefore,
@@ -362,7 +364,7 @@ function csrf_generate_secret($len = 32) {
  */
 function csrf_hash($value, $time = null) {
     if (!$time) $time = time();
-    return sha1($GLOBALS['csrf']['secret'] . $value . $time) . ',' . $time;
+    return sha1(csrf_get_secret() . $value . $time) . ',' . $time;
 }
 
 // Load user configuration
-- 
2.11.4.GIT