Update CSRF to latest version from github

1 files changed, 6 insertions, 6 deletions

diff --git a/src/usr/local/www/csrf/csrf-magic.php b/src/usr/local/www/csrf/csrf-magic.php
index 77a55fb..65db19f 100644
--- a/src/usr/local/www/csrf/csrf-magic.php
+++ b/src/usr/local/www/csrf/csrf-magic.php
@@ -13,8 +13,6 @@
  * This library is PHP4 and PHP5 compatible.
  */
 
-include_once('phpsessionmanager.inc');
-
 // CONFIGURATION:
 
 /**
@@ -219,7 +217,8 @@ function csrf_get_tokens() {
     $secret = csrf_get_secret();
     if (!$has_cookies && $secret) {
         // :TODO: Harden this against proxy-spoofing attacks
-        $ip = ';ip:' . csrf_hash($_SERVER['IP_ADDRESS']);
+        $IP_ADDRESS = (isset($_SERVER['IP_ADDRESS']) ? $_SERVER['IP_ADDRESS'] : $_SERVER['REMOTE_ADDR']);
+        $ip = ';ip:' . csrf_hash($IP_ADDRESS);
     } else {
         $ip = '';
     }
@@ -329,7 +328,8 @@ function csrf_check_token($token) {
             if ($GLOBALS['csrf']['user'] !== false) return false;
             if (!empty($_COOKIE)) return false;
             if (!$GLOBALS['csrf']['allow-ip']) return false;
-            return $value === csrf_hash($_SERVER['IP_ADDRESS'], $time);
+            $IP_ADDRESS = (isset($_SERVER['IP_ADDRESS']) ? $_SERVER['IP_ADDRESS'] : $_SERVER['REMOTE_ADDR']);
+            return $value === csrf_hash($IP_ADDRESS, $time);
     }
     return false;
 }
@@ -350,7 +350,7 @@ function csrf_conf($key, $val) {
  */
 function csrf_start() {
     if ($GLOBALS['csrf']['auto-session'] && !session_id()) {
-        phpsession_begin();
+        session_start();
     }
 }
 
@@ -381,7 +381,7 @@ function csrf_get_secret() {
  */
 function csrf_generate_secret($len = 32) {
     $r = '';
-    for ($i = 0; $i < 32; $i++) {
+    for ($i = 0; $i < $len; $i++) {
         $r .= chr(mt_rand(0, 255));
     }
     $r .= time() . microtime();