From 3680e2cdaaf5b18434aeabc23696b8feb3dacd8c Mon Sep 17 00:00:00 2001
From: Andreas Gohr <andi@splitbrain.org>
Date: Tue, 28 Feb 2017 18:47:13 +0100
Subject: [PATCH] do not generate CSRF tokens when no session or user exists

This partly fixes #1883
---
 inc/common.php | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/inc/common.php b/inc/common.php
index b8e77d7bf..d23c0c53f 100644
--- a/inc/common.php
+++ b/inc/common.php
@@ -94,7 +94,13 @@ function stripctl($string) {
 function getSecurityToken() {
     /** @var Input $INPUT */
     global $INPUT;
-    return PassHash::hmac('md5', session_id().$INPUT->server->str('REMOTE_USER'), auth_cookiesalt());
+
+    $user = $INPUT->server->str('REMOTE_USER');
+    $session = session_id();
+
+    // CSRF checks are only for logged in users - do not generate for anonymous
+    if(trim($user) == '' || trim($session) == '') return '';
+    return PassHash::hmac('md5', $session.$user, auth_cookiesalt());
 }
 
 /**
-- 
GitLab