- $form->tmpl_param("page_select", 1);
- $form->field(name => "page", type => 'select',
- options => \@page_locs, value => $best_loc);
- $form->title("creating ".pagetitle($page));
- }
- elsif ($form->field("do") eq "edit") {
- page_locked($page, $session);
- if (! defined $form->field('content') ||
- ! length $form->field('content')) {
- my $content="";
- if (exists $pagesources{lc($page)}) {
- $content=readfile(srcfile($pagesources{lc($page)}));
- $content=~s/\n/\r\n/g;
- }
- $form->field(name => "content", value => $content,
- force => 1);
- }
- $form->tmpl_param("page_select", 0);
- $form->field(name => "page", type => 'hidden');
- $form->title("editing ".pagetitle($page));
- }
-
- print $form->render(submit => \@buttons);
- }
- else {
- # save page
- page_locked($page, $session);
-
- my $content=$form->field('content');
- $content=~s/\r\n/\n/g;
- $content=~s/\r/\n/g;
- writefile("$config{srcdir}/$file", $content);
-
- my $message="web commit ";
- if (length $session->param("name")) {
- $message.="by ".$session->param("name");
- }
- else {
- $message.="from $ENV{REMOTE_ADDR}";
- }
- if (defined $form->field('comments') &&
- length $form->field('comments')) {
- $message.=": ".$form->field('comments');
- }
-
- if ($config{rcs}) {
- if ($newfile) {
- rcs_add($file);
- }
- # prevent deadlock with post-commit hook
- unlockwiki();
- # presumably the commit will trigger an update
- # of the wiki
- my $conflict=rcs_commit($file, $message,
- $form->field("rcsinfo"));
-
- if (defined $conflict) {
- $form->field(name => "rcsinfo", value => rcs_prepedit($file),
- force => 1);
- $form->tmpl_param("page_conflict", 1);
- $form->field("content", value => $conflict, force => 1);
- $form->field("do", "edit)");
- $form->tmpl_param("page_select", 0);
- $form->field(name => "page", type => 'hidden');
- $form->title("editing $page");
- print $form->render(submit => \@buttons);
- return;
- }
- }
- else {
- require IkiWiki::Render;
- refresh();
- saveindex();
+ return $session;
+}
+
+# To guard against CSRF, the user's session id (sid)
+# can be stored on a form. This function will check
+# (for logged in users) that the sid on the form matches
+# the session id in the cookie.
+sub checksessionexpiry ($$) {
+ my $q=shift;
+ my $session = shift;
+
+ if (defined $session->param("name")) {
+ my $sid=$q->param('sid');
+ if (! defined $sid || $sid ne $session->id) {
+ error(gettext("Your login session has expired."));