summaryrefslogtreecommitdiff
path: root/po
diff options
context:
space:
mode:
authorJoey Hess <joey@kodama.kitenet.net>2008-04-10 16:35:30 -0400
committerJoey Hess <joey@kodama.kitenet.net>2008-04-10 16:35:30 -0400
commit72b5ef2c5fb01751992c9400afe2690da5df611f (patch)
tree3a7aab2bc11e330e9e73164e438f01afa3846141 /po
parent609e74bbd83925d2eea797a64620a20f57df75a5 (diff)
Fix CSRF attacks against the preferences and edit forms. Closes: #475445
The fix involved embedding the session id in the forms, and not allowing the forms to be submitted if the embedded id does not match the session id. In the case of the preferences form, if the session id is not embedded, then the CGI parameters are cleared. This avoids a secondary attack where the link to the preferences form prefills password or other fields, and the user hits "submit" without noticing these prefilled values. In the case of the editpage form, the anonok plugin can allow anyone to edit, and so I chose not to guard against CSRF attacks against users who are not logged in. Otherwise, it also embeds the session id and checks it. For page editing, I assume that the user will notice if content or commit message is changed because of CGI parameters, and won't blndly hit save page. So I didn't block those CGI paramters. (It's even possible to use those CGI parameters, for good, not for evil, I guess..) The only other CSRF attack I can think of in ikiwiki involves the poll plugin. It's certianly possible to set up a link that causes the user to unknowingly vote in a poll. However, the poll plugin is not intended to be used for things that people would want to attack, since anyone can after all edit the poll page and fill in any values they like. So this "attack" is ignorable.
Diffstat (limited to 'po')
-rw-r--r--po/ikiwiki.pot28
1 files changed, 16 insertions, 12 deletions
diff --git a/po/ikiwiki.pot b/po/ikiwiki.pot
index a3f7cafcb..5e7e4b4d4 100644
--- a/po/ikiwiki.pot
+++ b/po/ikiwiki.pot
@@ -8,7 +8,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2008-03-29 21:01-0400\n"
+"POT-Creation-Date: 2008-04-10 16:18-0400\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
@@ -24,46 +24,50 @@ msgstr ""
msgid "login failed, perhaps you need to turn on cookies?"
msgstr ""
-#: ../IkiWiki/CGI.pm:184
+#: ../IkiWiki/CGI.pm:173 ../IkiWiki/CGI.pm:499
+msgid "Your login session has expired."
+msgstr ""
+
+#: ../IkiWiki/CGI.pm:194
msgid "Login"
msgstr ""
-#: ../IkiWiki/CGI.pm:185
+#: ../IkiWiki/CGI.pm:195
msgid "Preferences"
msgstr ""
-#: ../IkiWiki/CGI.pm:186
+#: ../IkiWiki/CGI.pm:196
msgid "Admin"
msgstr ""
-#: ../IkiWiki/CGI.pm:235
+#: ../IkiWiki/CGI.pm:248
msgid "Preferences saved."
msgstr ""
-#: ../IkiWiki/CGI.pm:293
+#: ../IkiWiki/CGI.pm:306
#, perl-format
msgid "%s is not an editable page"
msgstr ""
-#: ../IkiWiki/CGI.pm:395 ../IkiWiki/Plugin/brokenlinks.pm:24
+#: ../IkiWiki/CGI.pm:410 ../IkiWiki/Plugin/brokenlinks.pm:24
#: ../IkiWiki/Plugin/inline.pm:265 ../IkiWiki/Plugin/opendiscussion.pm:17
#: ../IkiWiki/Plugin/orphans.pm:28 ../IkiWiki/Render.pm:95
#: ../IkiWiki/Render.pm:172
msgid "discussion"
msgstr ""
-#: ../IkiWiki/CGI.pm:451
+#: ../IkiWiki/CGI.pm:466
#, perl-format
msgid "creating %s"
msgstr ""
-#: ../IkiWiki/CGI.pm:469 ../IkiWiki/CGI.pm:487 ../IkiWiki/CGI.pm:497
-#: ../IkiWiki/CGI.pm:531 ../IkiWiki/CGI.pm:576
+#: ../IkiWiki/CGI.pm:484 ../IkiWiki/CGI.pm:512 ../IkiWiki/CGI.pm:522
+#: ../IkiWiki/CGI.pm:556 ../IkiWiki/CGI.pm:601
#, perl-format
msgid "editing %s"
msgstr ""
-#: ../IkiWiki/CGI.pm:666
+#: ../IkiWiki/CGI.pm:691
msgid "You are banned."
msgstr ""
@@ -222,7 +226,7 @@ msgstr ""
msgid "Discussion"
msgstr ""
-#: ../IkiWiki/Plugin/inline.pm:491
+#: ../IkiWiki/Plugin/inline.pm:500
msgid "RPC::XML::Client not found, not pinging"
msgstr ""