From a132f948f22ae344760ee3da82f9f92cf0f18b7b Mon Sep 17 00:00:00 2001
From: Andreas Gohr <andi@splitbrain.org>
Date: Fri, 31 May 2013 09:25:43 +0200
Subject: use HMAC for CSRF security tokens FS#2794

---
 inc/common.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/inc/common.php b/inc/common.php
index e096d8b30..55c5b5ac4 100644
--- a/inc/common.php
+++ b/inc/common.php
@@ -56,7 +56,7 @@ function stripctl($string) {
  * @return  string
  */
 function getSecurityToken() {
-    return md5(auth_cookiesalt().session_id().$_SERVER['REMOTE_USER']);
+    return PassHash::hmac('md5', session_id().$_SERVER['REMOTE_USER'], auth_cookiesalt());
 }
 
 /**
-- 
cgit v1.2.3