X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/0f67e7d96953535e98d9ec26c30a25b8aaad782c..985b229be632126f376aaad7bd354d0d7d014464:/IkiWiki/CGI.pm?ds=sidebyside

diff --git a/IkiWiki/CGI.pm b/IkiWiki/CGI.pm
index dac522eea..a45e12e31 100644
--- a/IkiWiki/CGI.pm
+++ b/IkiWiki/CGI.pm
@@ -36,7 +36,7 @@ sub showform ($$$$;@) { #{{{
 
 	printheader($session);
 	print misctemplate($form->title, $form->render(submit => $buttons), @_);
-}
+} #}}}
 
 sub redirect ($$) { #{{{
 	my $q=shift;
@@ -273,14 +273,14 @@ sub check_banned ($$) { #{{{
 			exit;
 		}
 	}
-}
+} #}}}
 
 sub cgi_getsession ($) { #{{{
 	my $q=shift;
 
-	eval q{use CGI::Session};
+	eval q{use CGI::Session; use HTML::Entities};
 	error($@) if $@;
-	CGI::Session->name("ikiwiki_session_".encode_utf8($config{wikiname}));
+	CGI::Session->name("ikiwiki_session_".encode_entities($config{wikiname}));
 	
 	my $oldmask=umask(077);
 	my $session = eval {
@@ -296,6 +296,22 @@ sub cgi_getsession ($) { #{{{
 	return $session;
 } #}}}
 
+# To guard against CSRF, the user's session id (sid)
+# can be stored on a form. This function will check
+# (for logged in users) that the sid on the form matches
+# the session id in the cookie.
+sub checksessionexpiry ($$) { # {{{
+	my $q=shift;
+	my $session = shift;
+
+	if (defined $session->param("name")) {
+		my $sid=$q->param('sid');
+		if (! defined $sid || $sid ne $session->id) {
+			error(gettext("Your login session has expired."));
+		}
+	}
+} # }}}
+
 sub cgi_savesession ($) { #{{{
 	my $session=shift;