From f818dfe90847f350167055f6207befdc2e4e0f14 Mon Sep 17 00:00:00 2001
From: Dries Buytaert <dries@buytaert.net>
Date: Thu, 14 Jan 2010 18:45:17 +0000
Subject: - Patch #590656 by pwolanin, Pasqualle: harden one-time login links
 against vulnerability from disclosure of SQL backups, or SQL 'SELECT'
 injection.

---
 install.php | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'install.php')

diff --git a/install.php b/install.php
index 0b9dddd87..f4da1bb55 100644
--- a/install.php
+++ b/install.php
@@ -1002,6 +1002,10 @@ function install_settings_form_submit($form, &$form_state) {
     'value'    => $form_state['values']['db_prefix'],
     'required' => TRUE,
   );
+  $settings['drupal_hash_salt'] = array(
+    'value'    => sha1(drupal_random_bytes(64)),
+    'required' => TRUE,
+  );
   drupal_rewrite_settings($settings);
   // Indicate that the settings file has been verified, and check the database
   // for the last completed task, now that we have a valid connection. This
-- 
cgit v1.2.3