diff options
Diffstat (limited to 'IkiWiki')
-rw-r--r-- | IkiWiki/CGI.pm | 14 | ||||
-rw-r--r-- | IkiWiki/Plugin/comments.pm | 2 | ||||
-rw-r--r-- | IkiWiki/Plugin/editpage.pm | 2 |
3 files changed, 10 insertions, 8 deletions
diff --git a/IkiWiki/CGI.pm b/IkiWiki/CGI.pm index a3486cbb4..a45e12e31 100644 --- a/IkiWiki/CGI.pm +++ b/IkiWiki/CGI.pm @@ -36,7 +36,7 @@ sub showform ($$$$;@) { #{{{ printheader($session); print misctemplate($form->title, $form->render(submit => $buttons), @_); -} +} #}}} sub redirect ($$) { #{{{ my $q=shift; @@ -273,7 +273,7 @@ sub check_banned ($$) { #{{{ exit; } } -} +} #}}} sub cgi_getsession ($) { #{{{ my $q=shift; @@ -296,14 +296,16 @@ sub cgi_getsession ($) { #{{{ return $session; } #}}} -# The session id is stored on the form and checked to -# guard against CSRF. But only if the user is logged in, -# as anonok can allow anonymous edits. +# To guard against CSRF, the user's session id (sid) +# can be stored on a form. This function will check +# (for logged in users) that the sid on the form matches +# the session id in the cookie. sub checksessionexpiry ($$) { # {{{ + my $q=shift; my $session = shift; - my $sid = shift; if (defined $session->param("name")) { + my $sid=$q->param('sid'); if (! defined $sid || $sid ne $session->id) { error(gettext("Your login session has expired.")); } diff --git a/IkiWiki/Plugin/comments.pm b/IkiWiki/Plugin/comments.pm index 1eb256da9..b8748a1d6 100644 --- a/IkiWiki/Plugin/comments.pm +++ b/IkiWiki/Plugin/comments.pm @@ -468,7 +468,7 @@ sub sessioncgi ($$) { #{{{ if ($form->submitted eq POST_COMMENT && $form->validate) { my $file = "$location._comment"; - IkiWiki::checksessionexpiry($session, $cgi->param('sid')); + IkiWiki::checksessionexpiry($cgi, $session); # FIXME: could probably do some sort of graceful retry # on error? Would require significant unwinding though diff --git a/IkiWiki/Plugin/editpage.pm b/IkiWiki/Plugin/editpage.pm index e4f0cdac0..242624d77 100644 --- a/IkiWiki/Plugin/editpage.pm +++ b/IkiWiki/Plugin/editpage.pm @@ -340,7 +340,7 @@ sub cgi_editpage ($$) { #{{{ else { # save page check_canedit($page, $q, $session); - checksessionexpiry($session, $q->param('sid')); + checksessionexpiry($q, $session, $q->param('sid')); my $exists=-e "$config{srcdir}/$file"; |