perl-CGI-FormMagick/sme10/perl-CGI-FormMagick-0.93-csrf.patch

diff -ruN perl-CGI-FormMagick-0.93.old/lib/CGI/FormMagick/Events.pm perl-CGI-FormMagick-0.93/lib/CGI/FormMagick/Events.pm
--- perl-CGI-FormMagick-0.93.old/lib/CGI/FormMagick/Events.pm   2018-10-22 15:37:29.557795203 +0200
+++ perl-CGI-FormMagick-0.93/lib/CGI/FormMagick/Events.pm       2018-10-22 15:39:25.003464188 +0200
@@ -130,6 +130,11 @@
 sub page_post_event {
     my ($self) = @_;
     $self->debug_msg("This is the page post-event.");
+    if ($self->{csrf} and ($self->{cgi}->request_method || 'POST') eq 'POST' and
+       ($self->{cgi}->param('csrf_token') || '') ne $self->{cgi}->param('csrf_token_compare')){
+        warn "CSRF protection blocked request\n";
+        return $self->error($self->localise('CSRF_VALIDATION_FAILURE'));
+    }
     if (my $post_page_routine = $self->page->{'post-event'}) {
       $self->debug_msg("The post-routine is $post_page_routine");
       $self->do_external_routine($post_page_routine);
diff -ruN perl-CGI-FormMagick-0.93.old/lib/CGI/FormMagick/HTML.pm perl-CGI-FormMagick-0.93/lib/CGI/FormMagick/HTML.pm
--- perl-CGI-FormMagick-0.93.old/lib/CGI/FormMagick/HTML.pm     2018-10-22 15:37:29.574796035 +0200
+++ perl-CGI-FormMagick-0.93/lib/CGI/FormMagick/HTML.pm 2018-10-22 15:39:59.995182470 +0200
@@ -182,6 +182,9 @@
     print qq(  <input type="hidden" name="page" value="$fm->{page_number}">\n);
     print qq(  <input type="hidden" name="page_stack" value="$fm->{page_stack}">\n);
     print "  ",$fm->{cgi}->state_field(), "\n";        # hidden field with state ID
+    if ($fm->{cgi}->param('csrf_token_compare')){
+        print "  <input type=\"hidden\" name=\"csrf_token\" value=\"" . $fm->{cgi}->param('csrf_token_compare') . "\">\n";
+    }
     print "  <table class=\"sme-noborders\">\n";
 
     if ($menu)
diff -ruN perl-CGI-FormMagick-0.93.old/lib/CGI/FormMagick.pm perl-CGI-FormMagick-0.93/lib/CGI/FormMagick.pm
--- perl-CGI-FormMagick-0.93.old/lib/CGI/FormMagick.pm  2018-10-22 15:37:29.557795203 +0200
+++ perl-CGI-FormMagick-0.93/lib/CGI/FormMagick.pm      2018-10-22 15:41:24.889351176 +0200
@@ -24,6 +24,7 @@
 use CGI::FormMagick::Utils;
 use CGI::FormMagick::Sub;
 use File::Basename;
+use Session::Token;
 
 use strict;
 use Carp;
@@ -181,6 +182,7 @@
     $self->{charset}    = $args{charset} || 'UTF-8';
     $self->{cgi}        = $args{cgi};
     $self->{debug}      = $args{debug}      || 0;
+    $self->{csrf}       = $args{csrf} || 0;
 
     if ($self->{cgi}) {
         if ($args{sessiondir}) {
@@ -195,6 +197,11 @@
         $self->{cgi} = new CGI::Persistent $self->{sessiondir};
     }
 
+    # Create a CSRF token to compare later with. And store it in the session
+    if ($self->{csrf} and not $self->{cgi}->param('csrf_token_compare')){
+        $self->{cgi}->param(-name => 'csrf_token_compare', -value => Session::Token->new(entropy => 256)->get);
+        $self->commit_session;
+    }
 
     foreach (qw(PREVIOUSBUTTON RESETBUTTON STARTOVERLINK NEXTBUTTON)) {
         if (exists $args{$_}) {
1	diff -ruN perl-CGI-FormMagick-0.93.old/lib/CGI/FormMagick/Events.pm perl-CGI-FormMagick-0.93/lib/CGI/FormMagick/Events.pm
2	--- perl-CGI-FormMagick-0.93.old/lib/CGI/FormMagick/Events.pm 2018-10-22 15:37:29.557795203 +0200
3	+++ perl-CGI-FormMagick-0.93/lib/CGI/FormMagick/Events.pm 2018-10-22 15:39:25.003464188 +0200
4	@@ -130,6 +130,11 @@
5	sub page_post_event {
6	my ($self) = @_;
7	$self->debug_msg("This is the page post-event.");
8	+ if ($self->{csrf} and ($self->{cgi}->request_method \|\| 'POST') eq 'POST' and
9	+ ($self->{cgi}->param('csrf_token') \|\| '') ne $self->{cgi}->param('csrf_token_compare')){
10	+ warn "CSRF protection blocked request\n";
11	+ return $self->error($self->localise('CSRF_VALIDATION_FAILURE'));
12	+ }
13	if (my $post_page_routine = $self->page->{'post-event'}) {
14	$self->debug_msg("The post-routine is $post_page_routine");
15	$self->do_external_routine($post_page_routine);
16	diff -ruN perl-CGI-FormMagick-0.93.old/lib/CGI/FormMagick/HTML.pm perl-CGI-FormMagick-0.93/lib/CGI/FormMagick/HTML.pm
17	--- perl-CGI-FormMagick-0.93.old/lib/CGI/FormMagick/HTML.pm 2018-10-22 15:37:29.574796035 +0200
18	+++ perl-CGI-FormMagick-0.93/lib/CGI/FormMagick/HTML.pm 2018-10-22 15:39:59.995182470 +0200
19	@@ -182,6 +182,9 @@
20	print qq( <input type="hidden" name="page" value="$fm->{page_number}">\n);
21	print qq( <input type="hidden" name="page_stack" value="$fm->{page_stack}">\n);
22	print " ",$fm->{cgi}->state_field(), "\n"; # hidden field with state ID
23	+ if ($fm->{cgi}->param('csrf_token_compare')){
24	+ print " <input type=\"hidden\" name=\"csrf_token\" value=\"" . $fm->{cgi}->param('csrf_token_compare') . "\">\n";
25	+ }
26	print " <table class=\"sme-noborders\">\n";
27
28	if ($menu)
29	diff -ruN perl-CGI-FormMagick-0.93.old/lib/CGI/FormMagick.pm perl-CGI-FormMagick-0.93/lib/CGI/FormMagick.pm
30	--- perl-CGI-FormMagick-0.93.old/lib/CGI/FormMagick.pm 2018-10-22 15:37:29.557795203 +0200
31	+++ perl-CGI-FormMagick-0.93/lib/CGI/FormMagick.pm 2018-10-22 15:41:24.889351176 +0200
32	@@ -24,6 +24,7 @@
33	use CGI::FormMagick::Utils;
34	use CGI::FormMagick::Sub;
35	use File::Basename;
36	+use Session::Token;
37
38	use strict;
39	use Carp;
40	@@ -181,6 +182,7 @@
41	$self->{charset} = $args{charset} \|\| 'UTF-8';
42	$self->{cgi} = $args{cgi};
43	$self->{debug} = $args{debug} \|\| 0;
44	+ $self->{csrf} = $args{csrf} \|\| 0;
45
46	if ($self->{cgi}) {
47	if ($args{sessiondir}) {
48	@@ -195,6 +197,11 @@
49	$self->{cgi} = new CGI::Persistent $self->{sessiondir};
50	}
51
52	+ # Create a CSRF token to compare later with. And store it in the session
53	+ if ($self->{csrf} and not $self->{cgi}->param('csrf_token_compare')){
54	+ $self->{cgi}->param(-name => 'csrf_token_compare', -value => Session::Token->new(entropy => 256)->get);
55	+ $self->commit_session;
56	+ }
57
58	foreach (qw(PREVIOUSBUTTON RESETBUTTON STARTOVERLINK NEXTBUTTON)) {
59	if (exists $args{$_}) {