diff options
| author | Yorhel <git@yorhel.nl> | 2014-08-29 09:43:00 +0200 |
|---|---|---|
| committer | Yorhel <git@yorhel.nl> | 2014-08-29 09:45:15 +0200 |
| commit | c27d4e6b509a655d81e36469bb881afc287596e8 (patch) | |
| tree | c7a42b5226edaab2e3356592130a6db7caa13a9e /lib/VNDB/Util/Auth.pm | |
| parent | 9475bf8ccf1b422402ab70b6cb2276dc3c61e5c6 (diff) | |
Strengthen formcode for non-logged-in visitors + CSRF protect login form
formcode is strengthened by including the IP (-prefix) into the hash,
ensuring that the code can't be obtained by someone on a different
network.
I also removed the login form of every page. Felt kinda pointless.
Diffstat (limited to 'lib/VNDB/Util/Auth.pm')
| -rw-r--r-- | lib/VNDB/Util/Auth.pm | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/VNDB/Util/Auth.pm b/lib/VNDB/Util/Auth.pm index c7e8b973..a1fa9b4d 100644 --- a/lib/VNDB/Util/Auth.pm +++ b/lib/VNDB/Util/Auth.pm @@ -165,7 +165,7 @@ sub authGetCode { my $self = shift; my $id = shift; my $time = (shift || time)/3600; # accuracy of an hour - my $uid = pack('N', $self->{_auth} ? $self->{_auth}{id} : 0); + my $uid = encode_utf8($self->{_auth} ? $self->{_auth}{id} : $self->normIP()); return lc substr sha1_hex($self->{form_salt} . $uid . encode_utf8($id||'') . pack('N', int $time)), 0, 16; } |