From 298052d1b8636c6e292561acaf2eccd52a4fc008 Mon Sep 17 00:00:00 2001
From: flashwave <me@flash.moe>
Date: Tue, 2 Oct 2018 21:21:52 +0200
Subject: [PATCH] and now actually with a secret key

---
 misuzu.php          | 2 +-
 src/Application.php | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/misuzu.php b/misuzu.php
index 08ab438c..35375f2a 100644
--- a/misuzu.php
+++ b/misuzu.php
@@ -303,7 +303,7 @@ MIG;
         }
     }
 
-    csrf_init('soapsoapsoap', empty($userDisplayInfo) ? ip_remote_address() : $_COOKIE['msz_sid']);
+    csrf_init($app->getCsrfSecretKey(), empty($userDisplayInfo) ? ip_remote_address() : $_COOKIE['msz_sid']);
 
     $privateInfo = $app->getPrivateInfo();
 
diff --git a/src/Application.php b/src/Application.php
index 8caa2199..e964d3bc 100644
--- a/src/Application.php
+++ b/src/Application.php
@@ -354,6 +354,11 @@ final class Application
         return $this->getPath($this->config['Avatar']['default_path'] ?? 'public/images/no-avatar.png');
     }
 
+    public function getCsrfSecretKey(): string
+    {
+        return $this->config['CSRF']['secret_key'] ?? 'insecure';
+    }
+
     /**
      * Gets the currently active instance of Application
      * @return Application