1 |
diff -ruN perl-CGI-FormMagick-0.93.old/lib/CGI/FormMagick/Events.pm perl-CGI-FormMagick-0.93/lib/CGI/FormMagick/Events.pm |
2 |
--- perl-CGI-FormMagick-0.93.old/lib/CGI/FormMagick/Events.pm 2018-10-22 15:37:29.557795203 +0200 |
3 |
+++ perl-CGI-FormMagick-0.93/lib/CGI/FormMagick/Events.pm 2018-10-22 15:39:25.003464188 +0200 |
4 |
@@ -130,6 +130,11 @@ |
5 |
sub page_post_event { |
6 |
my ($self) = @_; |
7 |
$self->debug_msg("This is the page post-event."); |
8 |
+ if ($self->{csrf} and ($self->{cgi}->request_method || 'POST') eq 'POST' and |
9 |
+ ($self->{cgi}->param('csrf_token') || '') ne $self->{cgi}->param('csrf_token_compare')){ |
10 |
+ warn "CSRF protection blocked request\n"; |
11 |
+ return $self->error($self->localise('CSRF_VALIDATION_FAILURE')); |
12 |
+ } |
13 |
if (my $post_page_routine = $self->page->{'post-event'}) { |
14 |
$self->debug_msg("The post-routine is $post_page_routine"); |
15 |
$self->do_external_routine($post_page_routine); |
16 |
diff -ruN perl-CGI-FormMagick-0.93.old/lib/CGI/FormMagick/HTML.pm perl-CGI-FormMagick-0.93/lib/CGI/FormMagick/HTML.pm |
17 |
--- perl-CGI-FormMagick-0.93.old/lib/CGI/FormMagick/HTML.pm 2018-10-22 15:37:29.574796035 +0200 |
18 |
+++ perl-CGI-FormMagick-0.93/lib/CGI/FormMagick/HTML.pm 2018-10-22 15:39:59.995182470 +0200 |
19 |
@@ -182,6 +182,9 @@ |
20 |
print qq( <input type="hidden" name="page" value="$fm->{page_number}">\n); |
21 |
print qq( <input type="hidden" name="page_stack" value="$fm->{page_stack}">\n); |
22 |
print " ",$fm->{cgi}->state_field(), "\n"; # hidden field with state ID |
23 |
+ if ($fm->{cgi}->param('csrf_token_compare')){ |
24 |
+ print " <input type=\"hidden\" name=\"csrf_token\" value=\"" . $fm->{cgi}->param('csrf_token_compare') . "\">\n"; |
25 |
+ } |
26 |
print " <table class=\"sme-noborders\">\n"; |
27 |
|
28 |
if ($menu) |
29 |
diff -ruN perl-CGI-FormMagick-0.93.old/lib/CGI/FormMagick.pm perl-CGI-FormMagick-0.93/lib/CGI/FormMagick.pm |
30 |
--- perl-CGI-FormMagick-0.93.old/lib/CGI/FormMagick.pm 2018-10-22 15:37:29.557795203 +0200 |
31 |
+++ perl-CGI-FormMagick-0.93/lib/CGI/FormMagick.pm 2018-10-22 15:41:24.889351176 +0200 |
32 |
@@ -24,6 +24,7 @@ |
33 |
use CGI::FormMagick::Utils; |
34 |
use CGI::FormMagick::Sub; |
35 |
use File::Basename; |
36 |
+use Session::Token; |
37 |
|
38 |
use strict; |
39 |
use Carp; |
40 |
@@ -181,6 +182,7 @@ |
41 |
$self->{charset} = $args{charset} || 'UTF-8'; |
42 |
$self->{cgi} = $args{cgi}; |
43 |
$self->{debug} = $args{debug} || 0; |
44 |
+ $self->{csrf} = $args{csrf} || 0; |
45 |
|
46 |
if ($self->{cgi}) { |
47 |
if ($args{sessiondir}) { |
48 |
@@ -195,6 +197,11 @@ |
49 |
$self->{cgi} = new CGI::Persistent $self->{sessiondir}; |
50 |
} |
51 |
|
52 |
+ # Create a CSRF token to compare later with. And store it in the session |
53 |
+ if ($self->{csrf} and not $self->{cgi}->param('csrf_token_compare')){ |
54 |
+ $self->{cgi}->param(-name => 'csrf_token_compare', -value => Session::Token->new(entropy => 256)->get); |
55 |
+ $self->commit_session; |
56 |
+ } |
57 |
|
58 |
foreach (qw(PREVIOUSBUTTON RESETBUTTON STARTOVERLINK NEXTBUTTON)) { |
59 |
if (exists $args{$_}) { |