]> git.vanrenterghem.biz Git - git.ikiwiki.info.git/commitdiff
remove, rename: Add guards against XSRF attacks.
authorJoey Hess <joey@kitenet.net>
Fri, 14 May 2010 18:21:45 +0000 (14:21 -0400)
committerJoey Hess <joey@kitenet.net>
Fri, 14 May 2010 18:21:45 +0000 (14:21 -0400)
IkiWiki/Plugin/remove.pm
IkiWiki/Plugin/rename.pm
debian/changelog

index a46294e788815f30358bdba535b107bd78c24ba4..d23b2cc1016851ac537303f9a3438df7446f40bd 100644 (file)
@@ -107,6 +107,8 @@ sub confirmation_form ($$) {
                fields => [qw{do page}],
        );
        
+       $f->field(name => "sid", type => "hidden", value => $session->id,
+               force => 1);
        $f->field(name => "do", type => "hidden", value => "remove", force => 1);
 
        return $f, ["Remove", "Cancel"];
@@ -188,6 +190,8 @@ sub sessioncgi ($$) {
                        postremove($session);
                }
                elsif ($form->submitted eq 'Remove' && $form->validate) {
+                       IkiWiki::checksessionexpiry($q, $session, $q->param('sid'));
+
                        my @pages=$form->field("page");
        
                        # Validate removal by checking that the page exists,
index 537e913178f42cb93270a60bd6b2560cc6dda33a..0da90a538cb15b1e8f7b2b6a162a8f170ecb61bc 100644 (file)
@@ -131,6 +131,8 @@ sub rename_form ($$$) {
        );
        
        $f->field(name => "do", type => "hidden", value => "rename", force => 1);
+       $f->field(name => "sid", type => "hidden", value => $session->id,
+               force => 1);
        $f->field(name => "page", type => "hidden", value => $page, force => 1);
        $f->field(name => "new_name", value => pagetitle($page, 1), size => 60);
        if (!$q->param("attachment")) {
@@ -286,6 +288,8 @@ sub sessioncgi ($$) {
                        postrename($session);
                }
                elsif ($form->submitted eq 'Rename' && $form->validate) {
+                       IkiWiki::checksessionexpiry($q, $session, $q->param('sid'));
+
                        # Queue of rename actions to perfom.
                        my @torename;
 
index e6c5e42ae17b1b683761bd1c79d888605ab1dbea..a09c8e2288828e3c0302ede52c49ff65e9bf71d9 100644 (file)
@@ -30,6 +30,7 @@ ikiwiki (3.20100505) UNRELEASED; urgency=low
     (And also negative years.)
   * calendar: Display year in title of month calendar.
   * Use xhtml friendly pubdate setting.
+  * remove, rename: Add guards against XSRF attacks.
 
  -- Joey Hess <joeyh@debian.org>  Wed, 05 May 2010 18:07:29 -0400