From a817d3794d920f4f9280820beea746ab072830cd Mon Sep 17 00:00:00 2001
From: Andrew Dolgov <noreply@fakecake.org>
Date: Thu, 17 Sep 2020 08:59:18 +0300
Subject: * use get_random_bytes() for CSRF token * get_random_bytes: use PHP7
 random_bytes() if it is available * validate CSRF token using hash_equals

---
 plugins/af_proxy_http/init.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'plugins/af_proxy_http')

diff --git a/plugins/af_proxy_http/init.php b/plugins/af_proxy_http/init.php
index 0a8e88677..7cb9355f3 100644
--- a/plugins/af_proxy_http/init.php
+++ b/plugins/af_proxy_http/init.php
@@ -30,7 +30,7 @@ class Af_Proxy_Http extends Plugin {
 		$host->add_hook($host::HOOK_PREFS_TAB, $this);
 
 		if (!$_SESSION['af_proxy_http_token'])
-			$_SESSION['af_proxy_http_token'] = uniqid_short();
+			$_SESSION['af_proxy_http_token'] = bin2hex(get_random_bytes(16));
 	}
 
 	function hook_enclosure_entry($enc) {
@@ -202,7 +202,7 @@ class Af_Proxy_Http extends Plugin {
 	function hook_prefs_tab($args) {
 		if ($args != "prefFeeds") return;
 
-		print "<div dojoType=\"dijit.layout.AccordionPane\" 
+		print "<div dojoType=\"dijit.layout.AccordionPane\"
 			title=\"<i class='material-icons'>extension</i> ".__('Image proxy settings (af_proxy_http)')."\">";
 
 		print "<form dojoType=\"dijit.form.Form\">";
-- 
cgit v1.2.3