1 |
jpp |
1.2 |
diff -Nur perl-CGI-FormMagick-0.93/lib/CGI/FormMagick/Events.pm perl-CGI-FormMagick-0.93_bz10626/lib/CGI/FormMagick/Events.pm |
2 |
|
|
--- perl-CGI-FormMagick-0.93/lib/CGI/FormMagick/Events.pm 2005-10-31 18:24:02.000000000 +0100 |
3 |
|
|
+++ perl-CGI-FormMagick-0.93_bz10626/lib/CGI/FormMagick/Events.pm 2018-10-10 08:17:20.871139677 +0200 |
4 |
|
|
@@ -79,6 +79,13 @@ |
5 |
|
|
} else { |
6 |
|
|
$self->debug_msg("Validation successful."); |
7 |
|
|
|
8 |
|
|
+ # Don't run any post event unless it's a POST request |
9 |
|
|
+ return unless (($self->{cgi}->request_method || '') eq 'POST'); |
10 |
|
|
+ if ($self->{csrf} and ($self->{cgi}->param('csrf_token') || '') ne $self->{cgi}->param('csrf_token_compare')){ |
11 |
|
|
+ warn "CSRF protection blocked request\n"; |
12 |
|
|
+ return $self->error($self->localise('CSRF_VALIDATION_FAILURE')); |
13 |
|
|
+ } |
14 |
|
|
+ |
15 |
|
|
# find out what the form post_event action is. |
16 |
|
|
my $post_form_routine = $self->{xml}->{'post-event'}; |
17 |
|
|
|
18 |
|
|
@@ -130,6 +137,14 @@ |
19 |
jcrisp |
1.1 |
sub page_post_event { |
20 |
|
|
my ($self) = @_; |
21 |
|
|
$self->debug_msg("This is the page post-event."); |
22 |
jpp |
1.2 |
+ |
23 |
|
|
+ # Don't run any post event unless it's a POST request |
24 |
|
|
+ return unless (($self->{cgi}->request_method || '') eq 'POST'); |
25 |
|
|
+ if ($self->{csrf} and ($self->{cgi}->param('csrf_token') || '') ne $self->{cgi}->param('csrf_token_compare')){ |
26 |
jcrisp |
1.1 |
+ warn "CSRF protection blocked request\n"; |
27 |
|
|
+ return $self->error($self->localise('CSRF_VALIDATION_FAILURE')); |
28 |
|
|
+ } |
29 |
jpp |
1.2 |
+ |
30 |
jcrisp |
1.1 |
if (my $post_page_routine = $self->page->{'post-event'}) { |
31 |
|
|
$self->debug_msg("The post-routine is $post_page_routine"); |
32 |
|
|
$self->do_external_routine($post_page_routine); |
33 |
jpp |
1.2 |
diff -Nur perl-CGI-FormMagick-0.93/lib/CGI/FormMagick/HTML.pm perl-CGI-FormMagick-0.93_bz10626/lib/CGI/FormMagick/HTML.pm |
34 |
|
|
--- perl-CGI-FormMagick-0.93/lib/CGI/FormMagick/HTML.pm 2018-10-09 16:57:49.511171415 +0200 |
35 |
|
|
+++ perl-CGI-FormMagick-0.93_bz10626/lib/CGI/FormMagick/HTML.pm 2018-10-09 17:01:20.380167138 +0200 |
36 |
jcrisp |
1.1 |
@@ -182,6 +182,9 @@ |
37 |
|
|
print qq( <input type="hidden" name="page" value="$fm->{page_number}">\n); |
38 |
|
|
print qq( <input type="hidden" name="page_stack" value="$fm->{page_stack}">\n); |
39 |
|
|
print " ",$fm->{cgi}->state_field(), "\n"; # hidden field with state ID |
40 |
|
|
+ if ($fm->{cgi}->param('csrf_token_compare')){ |
41 |
|
|
+ print " <input type=\"hidden\" name=\"csrf_token\" value=\"" . $fm->{cgi}->param('csrf_token_compare') . "\">\n"; |
42 |
|
|
+ } |
43 |
|
|
print " <table class=\"sme-noborders\">\n"; |
44 |
|
|
|
45 |
|
|
if ($menu) |
46 |
jpp |
1.2 |
diff -Nur perl-CGI-FormMagick-0.93/lib/CGI/FormMagick.pm perl-CGI-FormMagick-0.93_bz10626/lib/CGI/FormMagick.pm |
47 |
|
|
--- perl-CGI-FormMagick-0.93/lib/CGI/FormMagick.pm 2013-01-25 18:31:36.000000000 +0100 |
48 |
|
|
+++ perl-CGI-FormMagick-0.93_bz10626/lib/CGI/FormMagick.pm 2018-10-09 17:00:30.323930724 +0200 |
49 |
jcrisp |
1.1 |
@@ -24,6 +24,7 @@ |
50 |
|
|
use CGI::FormMagick::Utils; |
51 |
|
|
use CGI::FormMagick::Sub; |
52 |
|
|
use File::Basename; |
53 |
|
|
+use Session::Token; |
54 |
|
|
|
55 |
|
|
use strict; |
56 |
|
|
use Carp; |
57 |
|
|
@@ -181,6 +182,7 @@ |
58 |
|
|
$self->{charset} = $args{charset} || 'UTF-8'; |
59 |
|
|
$self->{cgi} = $args{cgi}; |
60 |
|
|
$self->{debug} = $args{debug} || 0; |
61 |
|
|
+ $self->{csrf} = $args{csrf} || 0; |
62 |
|
|
|
63 |
|
|
if ($self->{cgi}) { |
64 |
|
|
if ($args{sessiondir}) { |
65 |
jpp |
1.2 |
@@ -194,7 +196,11 @@ |
66 |
|
|
local $^W = 0; |
67 |
jcrisp |
1.1 |
$self->{cgi} = new CGI::Persistent $self->{sessiondir}; |
68 |
|
|
} |
69 |
jpp |
1.2 |
- |
70 |
jcrisp |
1.1 |
+ # Create a CSRF token to compare later with. And store it in the session |
71 |
|
|
+ if ($self->{csrf} and not $self->{cgi}->param('csrf_token_compare')){ |
72 |
|
|
+ $self->{cgi}->param(-name => 'csrf_token_compare', -value => Session::Token->new(entropy => 256)->get); |
73 |
|
|
+ $self->commit_session; |
74 |
|
|
+ } |
75 |
|
|
|
76 |
|
|
foreach (qw(PREVIOUSBUTTON RESETBUTTON STARTOVERLINK NEXTBUTTON)) { |
77 |
|
|
if (exists $args{$_}) { |