checksessionexpiry: rework

[git.ikiwiki.info.git] / IkiWiki / CGI.pm

diff --git a/IkiWiki/CGI.pm b/IkiWiki/CGI.pm
index dac522eea470a544248c9c77406009b27d4d9997..a45e12e3168c54540b22f72e95c28d35eef003e5 100644 (file)
--- a/IkiWiki/CGI.pm
+++ b/IkiWiki/CGI.pm
@@ -36,7 +36,7 @@ sub showform ($$$$;@) { #{{{
 
        printheader($session);
        print misctemplate($form->title, $form->render(submit => $buttons), @_);
-}
+} #}}}
 
 sub redirect ($$) { #{{{
        my $q=shift;
@@ -273,14 +273,14 @@ sub check_banned ($$) { #{{{
                        exit;
                }
        }
-}
+} #}}}
 
 sub cgi_getsession ($) { #{{{
        my $q=shift;
 
-       eval q{use CGI::Session};
+       eval q{use CGI::Session; use HTML::Entities};
        error($@) if $@;
-       CGI::Session->name("ikiwiki_session_".encode_utf8($config{wikiname}));
+       CGI::Session->name("ikiwiki_session_".encode_entities($config{wikiname}));
        
        my $oldmask=umask(077);
        my $session = eval {
@@ -296,6 +296,22 @@ sub cgi_getsession ($) { #{{{
        return $session;
 } #}}}
 
+# To guard against CSRF, the user's session id (sid)
+# can be stored on a form. This function will check
+# (for logged in users) that the sid on the form matches
+# the session id in the cookie.
+sub checksessionexpiry ($$) { # {{{
+       my $q=shift;
+       my $session = shift;
+
+       if (defined $session->param("name")) {
+               my $sid=$q->param('sid');
+               if (! defined $sid || $sid ne $session->id) {
+                       error(gettext("Your login session has expired."));
+               }
+       }
+} # }}}
+
 sub cgi_savesession ($) { #{{{
        my $session=shift;