]> git.vanrenterghem.biz Git - git.ikiwiki.info.git/commitdiff
projects / git.ikiwiki.info.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: ab3efb2)
remove, rename: Add guards against XSRF attacks.
authorJoey Hess <joey@kitenet.net>
Fri, 14 May 2010 18:21:45 +0000 (14:21 -0400)
committerJoey Hess <joey@kitenet.net>
Fri, 14 May 2010 18:21:45 +0000 (14:21 -0400)
IkiWiki/Plugin/remove.pm patch | blob | history
IkiWiki/Plugin/rename.pm patch | blob | history
debian/changelog patch | blob | history

diff --git a/IkiWiki/Plugin/remove.pm b/IkiWiki/Plugin/remove.pm
index a46294e788815f30358bdba535b107bd78c24ba4..d23b2cc1016851ac537303f9a3438df7446f40bd 100644 (file)
--- a/IkiWiki/Plugin/remove.pm
+++ b/IkiWiki/Plugin/remove.pm
@@ -107,6 +107,8 @@ sub confirmation_form ($$) {
                fields => [qw{do page}],
        );
        
+       $f->field(name => "sid", type => "hidden", value => $session->id,
+               force => 1);
        $f->field(name => "do", type => "hidden", value => "remove", force => 1);
 
        return $f, ["Remove", "Cancel"];
@@ -188,6 +190,8 @@ sub sessioncgi ($$) {
                        postremove($session);
                }
                elsif ($form->submitted eq 'Remove' && $form->validate) {
+                       IkiWiki::checksessionexpiry($q, $session, $q->param('sid'));
+
                        my @pages=$form->field("page");
        
                        # Validate removal by checking that the page exists,
diff --git a/IkiWiki/Plugin/rename.pm b/IkiWiki/Plugin/rename.pm
index 537e913178f42cb93270a60bd6b2560cc6dda33a..0da90a538cb15b1e8f7b2b6a162a8f170ecb61bc 100644 (file)
--- a/IkiWiki/Plugin/rename.pm
+++ b/IkiWiki/Plugin/rename.pm
@@ -131,6 +131,8 @@ sub rename_form ($$$) {
        );
        
        $f->field(name => "do", type => "hidden", value => "rename", force => 1);
+       $f->field(name => "sid", type => "hidden", value => $session->id,
+               force => 1);
        $f->field(name => "page", type => "hidden", value => $page, force => 1);
        $f->field(name => "new_name", value => pagetitle($page, 1), size => 60);
        if (!$q->param("attachment")) {
@@ -286,6 +288,8 @@ sub sessioncgi ($$) {
                        postrename($session);
                }
                elsif ($form->submitted eq 'Rename' && $form->validate) {
+                       IkiWiki::checksessionexpiry($q, $session, $q->param('sid'));
+
                        # Queue of rename actions to perfom.
                        my @torename;
 
diff --git a/debian/changelog b/debian/changelog
index e6c5e42ae17b1b683761bd1c79d888605ab1dbea..a09c8e2288828e3c0302ede52c49ff65e9bf71d9 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -30,6 +30,7 @@ ikiwiki (3.20100505) UNRELEASED; urgency=low
     (And also negative years.)
   * calendar: Display year in title of month calendar.
   * Use xhtml friendly pubdate setting.
+  * remove, rename: Add guards against XSRF attacks.
 
  -- Joey Hess <joeyh@debian.org>  Wed, 05 May 2010 18:07:29 -0400
 
Unnamed repository; edit this file 'description' to name the repository.