/[smeserver]/rpms/perl-CGI-FormMagick/sme9/perl-CGI-FormMagick-0.93-csrf.patch
ViewVC logotype

Annotation of /rpms/perl-CGI-FormMagick/sme9/perl-CGI-FormMagick-0.93-csrf.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (hide annotations) (download)
Mon Oct 22 13:50:37 2018 UTC (6 years, 1 month ago) by jcrisp
Branch: MAIN
CVS Tags: perl-CGI-FormMagick-0_93-4_el6_sme, perl-CGI-FormMagick-0_93-3_el6_sme
* Mon Oct 22 2018 John Crisp <jcrisp@safeandsoundit.co.uk.co.uk> 0.93-3.sme
- add CSRF patch [SME:10626] - thank you to Daniel Berteaud

1 jcrisp 1.1 diff -ruN perl-CGI-FormMagick-0.93.old/lib/CGI/FormMagick/Events.pm perl-CGI-FormMagick-0.93/lib/CGI/FormMagick/Events.pm
2     --- perl-CGI-FormMagick-0.93.old/lib/CGI/FormMagick/Events.pm 2018-10-22 15:37:29.557795203 +0200
3     +++ perl-CGI-FormMagick-0.93/lib/CGI/FormMagick/Events.pm 2018-10-22 15:39:25.003464188 +0200
4     @@ -130,6 +130,11 @@
5     sub page_post_event {
6     my ($self) = @_;
7     $self->debug_msg("This is the page post-event.");
8     + if ($self->{csrf} and ($self->{cgi}->request_method || 'POST') eq 'POST' and
9     + ($self->{cgi}->param('csrf_token') || '') ne $self->{cgi}->param('csrf_token_compare')){
10     + warn "CSRF protection blocked request\n";
11     + return $self->error($self->localise('CSRF_VALIDATION_FAILURE'));
12     + }
13     if (my $post_page_routine = $self->page->{'post-event'}) {
14     $self->debug_msg("The post-routine is $post_page_routine");
15     $self->do_external_routine($post_page_routine);
16     diff -ruN perl-CGI-FormMagick-0.93.old/lib/CGI/FormMagick/HTML.pm perl-CGI-FormMagick-0.93/lib/CGI/FormMagick/HTML.pm
17     --- perl-CGI-FormMagick-0.93.old/lib/CGI/FormMagick/HTML.pm 2018-10-22 15:37:29.574796035 +0200
18     +++ perl-CGI-FormMagick-0.93/lib/CGI/FormMagick/HTML.pm 2018-10-22 15:39:59.995182470 +0200
19     @@ -182,6 +182,9 @@
20     print qq( <input type="hidden" name="page" value="$fm->{page_number}">\n);
21     print qq( <input type="hidden" name="page_stack" value="$fm->{page_stack}">\n);
22     print " ",$fm->{cgi}->state_field(), "\n"; # hidden field with state ID
23     + if ($fm->{cgi}->param('csrf_token_compare')){
24     + print " <input type=\"hidden\" name=\"csrf_token\" value=\"" . $fm->{cgi}->param('csrf_token_compare') . "\">\n";
25     + }
26     print " <table class=\"sme-noborders\">\n";
27    
28     if ($menu)
29     diff -ruN perl-CGI-FormMagick-0.93.old/lib/CGI/FormMagick.pm perl-CGI-FormMagick-0.93/lib/CGI/FormMagick.pm
30     --- perl-CGI-FormMagick-0.93.old/lib/CGI/FormMagick.pm 2018-10-22 15:37:29.557795203 +0200
31     +++ perl-CGI-FormMagick-0.93/lib/CGI/FormMagick.pm 2018-10-22 15:41:24.889351176 +0200
32     @@ -24,6 +24,7 @@
33     use CGI::FormMagick::Utils;
34     use CGI::FormMagick::Sub;
35     use File::Basename;
36     +use Session::Token;
37    
38     use strict;
39     use Carp;
40     @@ -181,6 +182,7 @@
41     $self->{charset} = $args{charset} || 'UTF-8';
42     $self->{cgi} = $args{cgi};
43     $self->{debug} = $args{debug} || 0;
44     + $self->{csrf} = $args{csrf} || 0;
45    
46     if ($self->{cgi}) {
47     if ($args{sessiondir}) {
48     @@ -195,6 +197,11 @@
49     $self->{cgi} = new CGI::Persistent $self->{sessiondir};
50     }
51    
52     + # Create a CSRF token to compare later with. And store it in the session
53     + if ($self->{csrf} and not $self->{cgi}->param('csrf_token_compare')){
54     + $self->{cgi}->param(-name => 'csrf_token_compare', -value => Session::Token->new(entropy => 256)->get);
55     + $self->commit_session;
56     + }
57    
58     foreach (qw(PREVIOUSBUTTON RESETBUTTON STARTOVERLINK NEXTBUTTON)) {
59     if (exists $args{$_}) {

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed