From f818dfe90847f350167055f6207befdc2e4e0f14 Mon Sep 17 00:00:00 2001
From: Dries Buytaert <dries@buytaert.net>
Date: Thu, 14 Jan 2010 18:45:17 +0000
Subject: - Patch #590656 by pwolanin, Pasqualle: harden one-time login links
 against vulnerability from disclosure of SQL backups, or SQL 'SELECT'
 injection.

---
 sites/default/default.settings.php | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

(limited to 'sites')

diff --git a/sites/default/default.settings.php b/sites/default/default.settings.php
index d8c3c72e8..15c41a725 100644
--- a/sites/default/default.settings.php
+++ b/sites/default/default.settings.php
@@ -167,6 +167,25 @@ $db_prefix = '';
  */
 $update_free_access = FALSE;
 
+/**
+ * Salt for one-time login links and cancel links, form tokens, etc.
+ *
+ * This variable will be set to a random value by the installer. All one-time
+ * login links will be invalidated if the value is changed.  Note that this
+ * variable must have the same value on every web server.  If this variable is
+ * empty, a hash of the serialized database credentials will be used as a
+ * fallback salt.
+ *
+ * For enhanced security, you may set this variable to a value using the
+ * contents of a file outside your docroot that is never saved together
+ * with any backups of your Drupal files and database.
+ *
+ * Example:
+ *   $drupal_hash_salt = file_get_contents('/home/example/salt.txt');
+ *   
+ */
+$drupal_hash_salt = '';
+
 /**
  * Base URL (optional).
  *
-- 
cgit v1.2.3