comments_embed.tmpl: include the inlined comments if present

[git.ikiwiki.info.git] / IkiWiki / CGI.pm

diff --git a/IkiWiki/CGI.pm b/IkiWiki/CGI.pm
index dac522eea470a544248c9c77406009b27d4d9997..a3486cbb40034cafc2fcdedd32c828626261339d 100644 (file)
--- a/IkiWiki/CGI.pm
+++ b/IkiWiki/CGI.pm
@@ -278,9 +278,9 @@ sub check_banned ($$) { #{{{
 sub cgi_getsession ($) { #{{{
        my $q=shift;
 
 sub cgi_getsession ($) { #{{{
        my $q=shift;
 

-       eval q{use CGI::Session};
+       eval q{use CGI::Session; use HTML::Entities};

        error($@) if $@;
        error($@) if $@;

-       CGI::Session->name("ikiwiki_session_".encode_utf8($config{wikiname}));
+       CGI::Session->name("ikiwiki_session_".encode_entities($config{wikiname}));

        
        my $oldmask=umask(077);
        my $session = eval {
        
        my $oldmask=umask(077);
        my $session = eval {


@@ -296,6 +296,20 @@ sub cgi_getsession ($) { #{{{
        return $session;
 } #}}}
 
        return $session;
 } #}}}
 

+# The session id is stored on the form and checked to
+# guard against CSRF. But only if the user is logged in,
+# as anonok can allow anonymous edits.
+sub checksessionexpiry ($$) { # {{{
+       my $session = shift;
+       my $sid = shift;
+
+       if (defined $session->param("name")) {
+               if (! defined $sid || $sid ne $session->id) {
+                       error(gettext("Your login session has expired."));
+               }
+       }
+} # }}}
+

 sub cgi_savesession ($) { #{{{
        my $session=shift;
 
 sub cgi_savesession ($) { #{{{
        my $session=shift;