| 1 |
diff -ruN perl-CGI-FormMagick-0.93.old/lib/CGI/FormMagick/Events.pm perl-CGI-FormMagick-0.93/lib/CGI/FormMagick/Events.pm |
diff -Nur perl-CGI-FormMagick-0.93/lib/CGI/FormMagick/Events.pm perl-CGI-FormMagick-0.93_bz10626/lib/CGI/FormMagick/Events.pm |
| 2 |
--- perl-CGI-FormMagick-0.93.old/lib/CGI/FormMagick/Events.pm 2018-10-22 15:37:29.557795203 +0200 |
--- perl-CGI-FormMagick-0.93/lib/CGI/FormMagick/Events.pm 2005-10-31 18:24:02.000000000 +0100 |
| 3 |
+++ perl-CGI-FormMagick-0.93/lib/CGI/FormMagick/Events.pm 2018-10-22 15:39:25.003464188 +0200 |
+++ perl-CGI-FormMagick-0.93_bz10626/lib/CGI/FormMagick/Events.pm 2018-10-10 08:17:20.871139677 +0200 |
| 4 |
@@ -130,6 +130,11 @@ |
@@ -79,6 +79,13 @@ |
| 5 |
|
} else { |
| 6 |
|
$self->debug_msg("Validation successful."); |
| 7 |
|
|
| 8 |
|
+ # Don't run any post event unless it's a POST request |
| 9 |
|
+ return unless (($self->{cgi}->request_method || '') eq 'POST'); |
| 10 |
|
+ if ($self->{csrf} and ($self->{cgi}->param('csrf_token') || '') ne $self->{cgi}->param('csrf_token_compare')){ |
| 11 |
|
+ warn "CSRF protection blocked request\n"; |
| 12 |
|
+ return $self->error($self->localise('CSRF_VALIDATION_FAILURE')); |
| 13 |
|
+ } |
| 14 |
|
+ |
| 15 |
|
# find out what the form post_event action is. |
| 16 |
|
my $post_form_routine = $self->{xml}->{'post-event'}; |
| 17 |
|
|
| 18 |
|
@@ -130,6 +137,14 @@ |
| 19 |
sub page_post_event { |
sub page_post_event { |
| 20 |
my ($self) = @_; |
my ($self) = @_; |
| 21 |
$self->debug_msg("This is the page post-event."); |
$self->debug_msg("This is the page post-event."); |
| 22 |
+ if ($self->{csrf} and ($self->{cgi}->request_method || 'POST') eq 'POST' and |
+ |
| 23 |
+ ($self->{cgi}->param('csrf_token') || '') ne $self->{cgi}->param('csrf_token_compare')){ |
+ # Don't run any post event unless it's a POST request |
| 24 |
|
+ return unless (($self->{cgi}->request_method || '') eq 'POST'); |
| 25 |
|
+ if ($self->{csrf} and ($self->{cgi}->param('csrf_token') || '') ne $self->{cgi}->param('csrf_token_compare')){ |
| 26 |
+ warn "CSRF protection blocked request\n"; |
+ warn "CSRF protection blocked request\n"; |
| 27 |
+ return $self->error($self->localise('CSRF_VALIDATION_FAILURE')); |
+ return $self->error($self->localise('CSRF_VALIDATION_FAILURE')); |
| 28 |
+ } |
+ } |
| 29 |
|
+ |
| 30 |
if (my $post_page_routine = $self->page->{'post-event'}) { |
if (my $post_page_routine = $self->page->{'post-event'}) { |
| 31 |
$self->debug_msg("The post-routine is $post_page_routine"); |
$self->debug_msg("The post-routine is $post_page_routine"); |
| 32 |
$self->do_external_routine($post_page_routine); |
$self->do_external_routine($post_page_routine); |
| 33 |
diff -ruN perl-CGI-FormMagick-0.93.old/lib/CGI/FormMagick/HTML.pm perl-CGI-FormMagick-0.93/lib/CGI/FormMagick/HTML.pm |
diff -Nur perl-CGI-FormMagick-0.93/lib/CGI/FormMagick/HTML.pm perl-CGI-FormMagick-0.93_bz10626/lib/CGI/FormMagick/HTML.pm |
| 34 |
--- perl-CGI-FormMagick-0.93.old/lib/CGI/FormMagick/HTML.pm 2018-10-22 15:37:29.574796035 +0200 |
--- perl-CGI-FormMagick-0.93/lib/CGI/FormMagick/HTML.pm 2018-10-09 16:57:49.511171415 +0200 |
| 35 |
+++ perl-CGI-FormMagick-0.93/lib/CGI/FormMagick/HTML.pm 2018-10-22 15:39:59.995182470 +0200 |
+++ perl-CGI-FormMagick-0.93_bz10626/lib/CGI/FormMagick/HTML.pm 2018-10-09 17:01:20.380167138 +0200 |
| 36 |
@@ -182,6 +182,9 @@ |
@@ -182,6 +182,9 @@ |
| 37 |
print qq( <input type="hidden" name="page" value="$fm->{page_number}">\n); |
print qq( <input type="hidden" name="page" value="$fm->{page_number}">\n); |
| 38 |
print qq( <input type="hidden" name="page_stack" value="$fm->{page_stack}">\n); |
print qq( <input type="hidden" name="page_stack" value="$fm->{page_stack}">\n); |
| 43 |
print " <table class=\"sme-noborders\">\n"; |
print " <table class=\"sme-noborders\">\n"; |
| 44 |
|
|
| 45 |
if ($menu) |
if ($menu) |
| 46 |
diff -ruN perl-CGI-FormMagick-0.93.old/lib/CGI/FormMagick.pm perl-CGI-FormMagick-0.93/lib/CGI/FormMagick.pm |
diff -Nur perl-CGI-FormMagick-0.93/lib/CGI/FormMagick.pm perl-CGI-FormMagick-0.93_bz10626/lib/CGI/FormMagick.pm |
| 47 |
--- perl-CGI-FormMagick-0.93.old/lib/CGI/FormMagick.pm 2018-10-22 15:37:29.557795203 +0200 |
--- perl-CGI-FormMagick-0.93/lib/CGI/FormMagick.pm 2013-01-25 18:31:36.000000000 +0100 |
| 48 |
+++ perl-CGI-FormMagick-0.93/lib/CGI/FormMagick.pm 2018-10-22 15:41:24.889351176 +0200 |
+++ perl-CGI-FormMagick-0.93_bz10626/lib/CGI/FormMagick.pm 2018-10-09 17:00:30.323930724 +0200 |
| 49 |
@@ -24,6 +24,7 @@ |
@@ -24,6 +24,7 @@ |
| 50 |
use CGI::FormMagick::Utils; |
use CGI::FormMagick::Utils; |
| 51 |
use CGI::FormMagick::Sub; |
use CGI::FormMagick::Sub; |
| 62 |
|
|
| 63 |
if ($self->{cgi}) { |
if ($self->{cgi}) { |
| 64 |
if ($args{sessiondir}) { |
if ($args{sessiondir}) { |
| 65 |
@@ -195,6 +197,11 @@ |
@@ -194,7 +196,11 @@ |
| 66 |
|
local $^W = 0; |
| 67 |
$self->{cgi} = new CGI::Persistent $self->{sessiondir}; |
$self->{cgi} = new CGI::Persistent $self->{sessiondir}; |
| 68 |
} |
} |
| 69 |
|
- |
| 70 |
+ # Create a CSRF token to compare later with. And store it in the session |
+ # Create a CSRF token to compare later with. And store it in the session |
| 71 |
+ if ($self->{csrf} and not $self->{cgi}->param('csrf_token_compare')){ |
+ if ($self->{csrf} and not $self->{cgi}->param('csrf_token_compare')){ |
| 72 |
+ $self->{cgi}->param(-name => 'csrf_token_compare', -value => Session::Token->new(entropy => 256)->get); |
+ $self->{cgi}->param(-name => 'csrf_token_compare', -value => Session::Token->new(entropy => 256)->get); |
Parent Directory
| 
Revision Log
| 
Revision Graph
| 
Patch
