From 2e0dbfa2c35e58dc01f255c518a30537601f20a4 Mon Sep 17 00:00:00 2001
From: Klas Lindfors <klas@yubico.com>
Date: Wed, 16 May 2012 13:45:08 +0200
Subject: [PATCH] build up the array to sign by taking $_GET or $_POST and
 remove the h key

---
 ykval-verify.php | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/ykval-verify.php b/ykval-verify.php
index 27462b1..739ed38 100644
--- a/ykval-verify.php
+++ b/ykval-verify.php
@@ -166,14 +166,16 @@ $apiKey = base64_decode($cd['secret']);
 
 if ($h != '') {
   // Create the signature using the API key
-  $a = array ();
-  $a['id'] = $client;
-  $a['otp'] = $otp;
-  // include timestamp,sl and timeout in signature if it exists
-  if ($timestamp) $a['timestamp'] = $timestamp;
-  if ($sl) $a['sl'] = $sl;
-  if ($timeout) $a['timeout'] = $timeout;
-  if ($nonce) $a['nonce'] = $nonce;
+  $a;
+  if($_GET) {
+    $a = $_GET;
+  } elseif($_POST) {
+    $a = $_POST;
+  } else {
+    sendRest(S_BACKEND_ERROR);
+    exit;
+  }
+  unset($a['h']);
 
   $hmac = sign($a, $apiKey);
   // Compare it