From f72e6947d5048c4af5fcfc7bb8da64435bd6246a Mon Sep 17 00:00:00 2001
From: Andrew Dolgov <noreply@fakecake.org>
Date: Thu, 17 Sep 2020 10:04:00 +0300
Subject: use hash_equals() correctly

---
 include/functions.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/functions.php b/include/functions.php
index bb7974f7f..298a77033 100644
--- a/include/functions.php
+++ b/include/functions.php
@@ -679,7 +679,7 @@
 	}
 
 	function validate_csrf($csrf_token) {
-		return hash_equals($csrf_token, $_SESSION['csrf_token']);
+		return hash_equals($_SESSION['csrf_token'], $csrf_token);
 	}
 
 	function load_user_plugins($owner_uid, $pluginhost = false) {
-- 
cgit v1.2.3