From 972b5a1976448f89e4412591bc88c6e0b9114d01 Mon Sep 17 00:00:00 2001
From: Matthew Flaschen <mflaschen@wikimedia.org>
Date: Tue, 16 Aug 2016 18:11:35 -0400
Subject: [PATCH] Note that you shouldn't use a custom $salt for 'edit' or
 'csrf'

Change-Id: I795b3a17791a9e16382a7c6379b0e7a4a498d32e
---
 includes/user/User.php | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/includes/user/User.php b/includes/user/User.php
index ab665a49a9..83cfa40644 100644
--- a/includes/user/User.php
+++ b/includes/user/User.php
@@ -4190,6 +4190,8 @@ class User implements IDBAccessObject {
 	 * login credentials aren't being hijacked with a foreign form
 	 * submission.
 	 *
+	 * The $salt for 'edit' and 'csrf' tokens is the default (empty string).
+	 *
 	 * @since 1.19
 	 * @param string|array $salt Array of Strings Optional function-specific data for hashing
 	 * @param WebRequest|null $request WebRequest object to use or null to use $wgRequest
-- 
2.20.1