perl-CGI-FormMagick/sme10/perl-CGI-FormMagick-CSRFtimeout.patch

--- perl-CGI-FormMagick-0.93.old/lib/CGI/FormMagick/Events.pm   2019-01-27 13:17:40.000000000 -0500
+++ perl-CGI-FormMagick-0.93/lib/CGI/FormMagick/Events.pm       2019-01-27 14:35:18.143816986 -0500
@@ -83,8 +83,12 @@
         $self->debug_msg("Validation successful.");
 
         # Don't run any post event unless it's a POST request
+        $self->debug_msg("Request method should be POST.")  unless (($self->{cgi}->request_method || '') eq 'POST') ;
         return unless (($self->{cgi}->request_method || '') eq 'POST');
-        if ($self->{csrf} and ($self->{cgi}->param('csrf_token') || '') ne $self->{cgi}->param('csrf_token_compare')){
+        if ($self->{csrf} and ( ($self->{cgi}->param('csrf_token') || '') ne $self->{cgi}->param('csrf_token_compare')
+           or $self->{cgi}->param('csrf_timestamp') + 120  < time ) ) {
+           # only 3 min to validate form
+           $self->debug_msg("SRF protection blocked request");
             warn "CSRF protection blocked request\n";
             return $self->error($self->localise('CSRF_VALIDATION_FAILURE'));
         }
@@ -142,8 +146,12 @@
     $self->debug_msg("This is the page post-event.");
 
     # Don't run any post event unless it's a POST request
+    $self->debug_msg("Request method should be POST.")  unless (($self->{cgi}->request_method || '') eq 'POST') ;
     return unless (($self->{cgi}->request_method || '') eq 'POST');
-    if ($self->{csrf} and ($self->{cgi}->param('csrf_token') || '') ne $self->{cgi}->param('csrf_token_compare')){
+    if ($self->{csrf} and ( ($self->{cgi}->param('csrf_token') || '') ne $self->{cgi}->param('csrf_token_compare')
+       or $self->{cgi}->param('csrf_timestamp') + 120  < time ) ) {
+        # only 3 min to validate form
+        $self->debug_msg("SRF protection blocked request");
         warn "CSRF protection blocked request\n";
         return $self->error($self->localise('CSRF_VALIDATION_FAILURE'));
     }
--- perl-CGI-FormMagick-0.93.old/lib/CGI/FormMagick.pm  2019-01-27 13:17:40.000000000 -0500
+++ perl-CGI-FormMagick-0.93/lib/CGI/FormMagick.pm      2019-01-27 14:32:14.186747779 -0500
@@ -202,6 +202,7 @@
     # Create a CSRF token to compare later with. And store it in the session
     if ($self->{csrf} and not $self->{cgi}->param('csrf_token_compare')){
         $self->{cgi}->param(-name => 'csrf_token_compare', -value => Session::Token->new(entropy => 256)->get);
+       $self->{cgi}->param(-name => 'csrf_timestamp', -value =>  time);
         $self->commit_session;
     }
 
1	--- perl-CGI-FormMagick-0.93.old/lib/CGI/FormMagick/Events.pm 2019-01-27 13:17:40.000000000 -0500
2	+++ perl-CGI-FormMagick-0.93/lib/CGI/FormMagick/Events.pm 2019-01-27 14:35:18.143816986 -0500
3	@@ -83,8 +83,12 @@
4	$self->debug_msg("Validation successful.");
5
6	# Don't run any post event unless it's a POST request
7	+ $self->debug_msg("Request method should be POST.") unless (($self->{cgi}->request_method \|\| '') eq 'POST') ;
8	return unless (($self->{cgi}->request_method \|\| '') eq 'POST');
9	- if ($self->{csrf} and ($self->{cgi}->param('csrf_token') \|\| '') ne $self->{cgi}->param('csrf_token_compare')){
10	+ if ($self->{csrf} and ( ($self->{cgi}->param('csrf_token') \|\| '') ne $self->{cgi}->param('csrf_token_compare')
11	+ or $self->{cgi}->param('csrf_timestamp') + 120 < time ) ) {
12	+ # only 3 min to validate form
13	+ $self->debug_msg("SRF protection blocked request");
14	warn "CSRF protection blocked request\n";
15	return $self->error($self->localise('CSRF_VALIDATION_FAILURE'));
16	}
17	@@ -142,8 +146,12 @@
18	$self->debug_msg("This is the page post-event.");
19
20	# Don't run any post event unless it's a POST request
21	+ $self->debug_msg("Request method should be POST.") unless (($self->{cgi}->request_method \|\| '') eq 'POST') ;
22	return unless (($self->{cgi}->request_method \|\| '') eq 'POST');
23	- if ($self->{csrf} and ($self->{cgi}->param('csrf_token') \|\| '') ne $self->{cgi}->param('csrf_token_compare')){
24	+ if ($self->{csrf} and ( ($self->{cgi}->param('csrf_token') \|\| '') ne $self->{cgi}->param('csrf_token_compare')
25	+ or $self->{cgi}->param('csrf_timestamp') + 120 < time ) ) {
26	+ # only 3 min to validate form
27	+ $self->debug_msg("SRF protection blocked request");
28	warn "CSRF protection blocked request\n";
29	return $self->error($self->localise('CSRF_VALIDATION_FAILURE'));
30	}
31	--- perl-CGI-FormMagick-0.93.old/lib/CGI/FormMagick.pm 2019-01-27 13:17:40.000000000 -0500
32	+++ perl-CGI-FormMagick-0.93/lib/CGI/FormMagick.pm 2019-01-27 14:32:14.186747779 -0500
33	@@ -202,6 +202,7 @@
34	# Create a CSRF token to compare later with. And store it in the session
35	if ($self->{csrf} and not $self->{cgi}->param('csrf_token_compare')){
36	$self->{cgi}->param(-name => 'csrf_token_compare', -value => Session::Token->new(entropy => 256)->get);
37	+ $self->{cgi}->param(-name => 'csrf_timestamp', -value => time);
38	$self->commit_session;
39	}
40