From 681bc9755ecfaa5bd7f4f2fd5caf5c4ff886da8d Mon Sep 17 00:00:00 2001
From: mdipierro <massimo.dipierro@gmail.com>
Date: Sun, 28 Apr 2013 23:09:49 -0500
Subject: [PATCH] fixed potential vulnerability in form CRSF handling, thanks
 Anthony

---
 VERSION       | 2 +-
 gluon/html.py | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/VERSION b/VERSION
index 0f52e09a..4abd817f 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-Version 2.4.6-stable+timestamp.2013.04.28.23.04.43
+Version 2.4.6-stable+timestamp.2013.04.28.23.09.04
diff --git a/gluon/html.py b/gluon/html.py
index 6a950537..53462c12 100644
--- a/gluon/html.py
+++ b/gluon/html.py
@@ -1995,7 +1995,7 @@ class FORM(DIV):
         if session is not None:
             formkey = session.get('_formkey[%s]' % formname, None)
             # check if user tampering with form and void CSRF
-            if formkey != request_vars._formkey:
+            if not formkey or formkey != request_vars._formkey:
                 status = False
         if formname != request_vars._formname:
             status = False