Minor fixes

NEWS.md

@@ -37,11 +37,6 @@ Features
 
   Configuration var `hash`
 
-- Allow use of session_id() to be configured via configuration variable so that
-  other mechanisms can be utilsed instead.
-
-  Configuration var `session`
-
 ## 1.0.5 released 2014-07-24
 
 Bug Fixes

csrf-magic.js

@@ -42,11 +42,11 @@ CsrfMagic.prototype = {
 		prepend = csrfMagicName + '=' + csrfMagicToken + '&';
 		delete this.csrf_isPost;
 
-		if (typeof data == object) {
+		if (typeof data == 'object') {
 			prepend = data;
 			prepend[csrfMagicName] = csrfMagicToken;
 		} else {
-			prepend = csrfMagicName + '=' + csrfMagictoken;
+			prepend = csrfMagicName + '=' + csrfMagicToken;
 			if (data) prepend = prepend + '&' + data;
 		}
 		return this.csrf_send(prepend);

csrf-magic.php

@@ -60,7 +60,8 @@ function csrf_ob_handler($buffer, $flags) {
 		}
 	}
 
-	csrf_log(__FUNCTION__,'returns: ' . var_export($buffer, true));
+	csrf_log(__FUNCTION__, 'returns: ' . var_export($buffer, true));
+
 	return $buffer;
 }
 
@@ -80,12 +81,17 @@ function csrf_check($fatal = true) {
 		$tokens = '';
 
 		csrf_log(__FUNCTION__, "csrf magic $name was $result");
+
 		if ($result) {
 			// we don't regenerate a token and check it because some token creation
 			// schemes are volatile.
 			$tokens = $_POST[$name];
 			$result = csrf_check_tokens($tokens);
-			csrf_log(__FUNCTION__,"check_tokens($name, $tokens) returned $result");
+			if (is_array($tokens)) {
+				$tokens = implode(';', $tokens);
+			}
+
+			csrf_log(__FUNCTION__, "check_tokens($name, $tokens) returned $result");
 		}
 
 		if ($fatal && !$result) {
@@ -101,7 +107,8 @@ function csrf_check($fatal = true) {
 		}
 	}
 
-	csrf_log(__FUNCTION__,'returns: ' . var_export($result, true));
+	csrf_log(__FUNCTION__, 'returns: ' . var_export($result, true));
+
 	return $result;
 }
 
@@ -147,7 +154,8 @@ function csrf_get_tokens() {
 		$token = 'invalid';
 	}
 
-	csrf_log(__FUNCTION__,'returns: ' . var_export($token, true));
+	csrf_log(__FUNCTION__, 'returns: ' . var_export($token, true));
+
 	return $token;
 }
 
@@ -156,7 +164,9 @@ function csrf_flattenpost($data) {
 	foreach($data as $n => $v) {
 		$ret = array_merge($ret, csrf_flattenpost2(1, $n, $v));
 	}
-	csrf_log(__FUNCTION__,'returns: ' . var_export($ret, true));
+
+	csrf_log(__FUNCTION__, 'returns: ' . var_export($ret, true));
+
 	return $ret;
 }
 
@@ -170,7 +180,9 @@ function csrf_flattenpost2($level, $key, $data) {
 			$ret = array_merge($ret, csrf_flattenpost2($level+1, $nk, $v));
 		}
 	}
-	csrf_log(__FUNCTION__,'returns: ' . var_export($ret, true));
+
+	csrf_log(__FUNCTION__, 'returns: ' . var_export($ret, true));
+
 	return $ret;
 }
 
@@ -220,7 +232,8 @@ function csrf_check_tokens($tokens) {
 		}
 	}
 
-	csrf_log(__FUNCTION__,'returns: ' . var_export($valid_token, true));
+	csrf_log(__FUNCTION__, 'returns: ' . var_export($valid_token, true));
+
 	return $valid_token;
 }
 
@@ -240,7 +253,8 @@ function csrf_check_token($token) {
 				$expiry_time = time();
 				$expiry_csrf = $time + $GLOBALS['csrf']['expires'];
 				$check_token = ($expiry_time < $expiry_csrf);
-				csrf_log(__FUNCTION__,"expiry $check_token = $expiry_time < $expiry_csrf");
+
+				csrf_log(__FUNCTION__, "expiry $check_token = $expiry_time < $expiry_csrf");
 			}
 
 			if ($check_token) {
@@ -289,7 +303,8 @@ function csrf_check_token($token) {
 		}
 	}
 
-	csrf_log(__FUNCTION__,'returns: ' . var_export($valid_token, true));
+	csrf_log(__FUNCTION__, 'returns: ' . var_export($valid_token, true));
+
 	return $valid_token;
 }
 
@@ -311,6 +326,8 @@ function csrf_conf($key, $val) {
  * Starts a session if we're allowed to.
  */
 function csrf_start() {
+	global $config;
+
 	if ($GLOBALS['csrf']['auto-session'] && !session_id()) {
 		session_start();
 	}
@@ -357,7 +374,9 @@ function csrf_get_secret() {
 	}
 
 	$GLOBALS['csrf']['secret'] = $secret;
-	csrf_log(__FUNCTION__,'returns: ' . var_export($secret, true));
+
+	csrf_log(__FUNCTION__, 'returns: ' . var_export($secret, true));
+
 	return $secret;
 }
 
@@ -372,7 +391,9 @@ function csrf_generate_secret($len = 32) {
 	$r .= time() . microtime();
 
 	$secret = csrf_internal_hash('',$r);
-	csrf_log(__FUNCTION__,'returns: ' . var_export($secret, true));
+
+	csrf_log(__FUNCTION__, 'returns: ' . var_export($secret, true));
+
 	return $secret;
 }
 
@@ -402,7 +423,8 @@ function csrf_hash($value, $time = null) {
 	$secret = csrf_get_secret();
 	$result = csrf_internal_hash($secret, csrf_internal_hash($secret, $time . ':' . $value)) . ',' . $time;
 
-	csrf_log(__FUNCTION__,'returns: ' . var_export($result, true));
+	csrf_log(__FUNCTION__, 'returns: ' . var_export($result, true));
+
 	return $result;
 }
 
@@ -430,18 +452,19 @@ function csrf_get_client_addr() {
 			foreach ($header_ips as $header_ip) {
 				if (!empty($header_ip)) {
 					if (!filter_var($header_ip, FILTER_VALIDATE_IP)) {
-						csrf_log(__FUNCTIOJN__,'ERROR: Invalid remote client IP Address found in header (' . $header . ').');
+						csrf_log(__FUNCTION__, 'ERROR: Invalid remote client IP Address found in header (' . $header . ').');
 					} else {
 						$client_addr = $header_ip;
-						csrf_log(__FUNCTION__,'DEBUG: Using remote client IP Address found in header (' . $header . '): ' . $client_addr . ' (' . $_SERVER[$header] . ')');
+						csrf_log(__FUNCTION__, 'DEBUG: Using remote client IP Address found in header (' . $header . '): ' . $client_addr . ' (' . $_SERVER[$header] . ')');
 						break;
 					}
 				}
 			}
 		}
 	}
 
-	csrf_log(__FUNCTION__,'returns: ' . var_export($client_addr, true));
+	csrf_log(__FUNCTION__, 'returns: ' . var_export($client_addr, true));
+
 	return $client_addr;
 }
 
@@ -492,6 +515,7 @@ function csrf_log($name, $text) {
 		}
 	}
 }
+
 function csrf_caller() {
 	static $caller = '';
 
@@ -502,6 +526,7 @@ function csrf_caller() {
 			$caller = $_SERVER['SCRIPT_NAME'];
 		}
 	}
+
 	return $caller;
 }
 

test.php

@@ -1,4 +1,4 @@
-<?php 
+<?php
 
 function csrf_startup() {
     csrf_conf('rewrite-js', 'csrf-magic.js');