diff options
| author | Joey Hess <joey@kitenet.net> | 2010-05-14 14:21:45 -0400 |
|---|---|---|
| committer | Joey Hess <joey@kitenet.net> | 2010-05-14 14:21:45 -0400 |
| commit | 8ff761afa24febdb280c672b3b31d6145990f050 (patch) | |
| tree | 3d00cbd45d48833c0d7e8084b5da1739ff11030f | |
| parent | ab3efb21d9f3c43cf01e5d1be5a55cf7a233adfb (diff) | |
remove, rename: Add guards against XSRF attacks.
| -rw-r--r-- | IkiWiki/Plugin/remove.pm | 4 | ||||
| -rw-r--r-- | IkiWiki/Plugin/rename.pm | 4 | ||||
| -rw-r--r-- | debian/changelog | 1 |
3 files changed, 9 insertions, 0 deletions
diff --git a/IkiWiki/Plugin/remove.pm b/IkiWiki/Plugin/remove.pm index a46294e78..d23b2cc10 100644 --- a/IkiWiki/Plugin/remove.pm +++ b/IkiWiki/Plugin/remove.pm @@ -107,6 +107,8 @@ sub confirmation_form ($$) { fields => [qw{do page}], ); + $f->field(name => "sid", type => "hidden", value => $session->id, + force => 1); $f->field(name => "do", type => "hidden", value => "remove", force => 1); return $f, ["Remove", "Cancel"]; @@ -188,6 +190,8 @@ sub sessioncgi ($$) { postremove($session); } elsif ($form->submitted eq 'Remove' && $form->validate) { + IkiWiki::checksessionexpiry($q, $session, $q->param('sid')); + my @pages=$form->field("page"); # Validate removal by checking that the page exists, diff --git a/IkiWiki/Plugin/rename.pm b/IkiWiki/Plugin/rename.pm index 537e91317..0da90a538 100644 --- a/IkiWiki/Plugin/rename.pm +++ b/IkiWiki/Plugin/rename.pm @@ -131,6 +131,8 @@ sub rename_form ($$$) { ); $f->field(name => "do", type => "hidden", value => "rename", force => 1); + $f->field(name => "sid", type => "hidden", value => $session->id, + force => 1); $f->field(name => "page", type => "hidden", value => $page, force => 1); $f->field(name => "new_name", value => pagetitle($page, 1), size => 60); if (!$q->param("attachment")) { @@ -286,6 +288,8 @@ sub sessioncgi ($$) { postrename($session); } elsif ($form->submitted eq 'Rename' && $form->validate) { + IkiWiki::checksessionexpiry($q, $session, $q->param('sid')); + # Queue of rename actions to perfom. my @torename; diff --git a/debian/changelog b/debian/changelog index e6c5e42ae..a09c8e228 100644 --- a/debian/changelog +++ b/debian/changelog @@ -30,6 +30,7 @@ ikiwiki (3.20100505) UNRELEASED; urgency=low (And also negative years.) * calendar: Display year in title of month calendar. * Use xhtml friendly pubdate setting. + * remove, rename: Add guards against XSRF attacks. -- Joey Hess <joeyh@debian.org> Wed, 05 May 2010 18:07:29 -0400 |