/[smeserver]/rpms/perl-CGI-FormMagick/sme9/perl-CGI-FormMagick-0.93-csrf.patch
ViewVC logotype

Contents of /rpms/perl-CGI-FormMagick/sme9/perl-CGI-FormMagick-0.93-csrf.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.2 - (show annotations) (download)
Sun Jan 27 18:16:55 2019 UTC (5 years, 10 months ago) by jpp
Branch: MAIN
CVS Tags: perl-CGI-FormMagick-0_93-6_el6_sme, perl-CGI-FormMagick-0_93-5_el6_sme, HEAD
Changes since 1.1: +32 -14 lines
* Sun Jan 27 2019 Jean-Philipe Pialasse <tests@pialasse.com> 0.93-5.sme
- new patch version [SME: 10626]

1 diff -Nur perl-CGI-FormMagick-0.93/lib/CGI/FormMagick/Events.pm perl-CGI-FormMagick-0.93_bz10626/lib/CGI/FormMagick/Events.pm
2 --- perl-CGI-FormMagick-0.93/lib/CGI/FormMagick/Events.pm 2005-10-31 18:24:02.000000000 +0100
3 +++ perl-CGI-FormMagick-0.93_bz10626/lib/CGI/FormMagick/Events.pm 2018-10-10 08:17:20.871139677 +0200
4 @@ -79,6 +79,13 @@
5 } else {
6 $self->debug_msg("Validation successful.");
7
8 + # Don't run any post event unless it's a POST request
9 + return unless (($self->{cgi}->request_method || '') eq 'POST');
10 + if ($self->{csrf} and ($self->{cgi}->param('csrf_token') || '') ne $self->{cgi}->param('csrf_token_compare')){
11 + warn "CSRF protection blocked request\n";
12 + return $self->error($self->localise('CSRF_VALIDATION_FAILURE'));
13 + }
14 +
15 # find out what the form post_event action is.
16 my $post_form_routine = $self->{xml}->{'post-event'};
17
18 @@ -130,6 +137,14 @@
19 sub page_post_event {
20 my ($self) = @_;
21 $self->debug_msg("This is the page post-event.");
22 +
23 + # Don't run any post event unless it's a POST request
24 + return unless (($self->{cgi}->request_method || '') eq 'POST');
25 + if ($self->{csrf} and ($self->{cgi}->param('csrf_token') || '') ne $self->{cgi}->param('csrf_token_compare')){
26 + warn "CSRF protection blocked request\n";
27 + return $self->error($self->localise('CSRF_VALIDATION_FAILURE'));
28 + }
29 +
30 if (my $post_page_routine = $self->page->{'post-event'}) {
31 $self->debug_msg("The post-routine is $post_page_routine");
32 $self->do_external_routine($post_page_routine);
33 diff -Nur perl-CGI-FormMagick-0.93/lib/CGI/FormMagick/HTML.pm perl-CGI-FormMagick-0.93_bz10626/lib/CGI/FormMagick/HTML.pm
34 --- perl-CGI-FormMagick-0.93/lib/CGI/FormMagick/HTML.pm 2018-10-09 16:57:49.511171415 +0200
35 +++ perl-CGI-FormMagick-0.93_bz10626/lib/CGI/FormMagick/HTML.pm 2018-10-09 17:01:20.380167138 +0200
36 @@ -182,6 +182,9 @@
37 print qq( <input type="hidden" name="page" value="$fm->{page_number}">\n);
38 print qq( <input type="hidden" name="page_stack" value="$fm->{page_stack}">\n);
39 print " ",$fm->{cgi}->state_field(), "\n"; # hidden field with state ID
40 + if ($fm->{cgi}->param('csrf_token_compare')){
41 + print " <input type=\"hidden\" name=\"csrf_token\" value=\"" . $fm->{cgi}->param('csrf_token_compare') . "\">\n";
42 + }
43 print " <table class=\"sme-noborders\">\n";
44
45 if ($menu)
46 diff -Nur perl-CGI-FormMagick-0.93/lib/CGI/FormMagick.pm perl-CGI-FormMagick-0.93_bz10626/lib/CGI/FormMagick.pm
47 --- perl-CGI-FormMagick-0.93/lib/CGI/FormMagick.pm 2013-01-25 18:31:36.000000000 +0100
48 +++ perl-CGI-FormMagick-0.93_bz10626/lib/CGI/FormMagick.pm 2018-10-09 17:00:30.323930724 +0200
49 @@ -24,6 +24,7 @@
50 use CGI::FormMagick::Utils;
51 use CGI::FormMagick::Sub;
52 use File::Basename;
53 +use Session::Token;
54
55 use strict;
56 use Carp;
57 @@ -181,6 +182,7 @@
58 $self->{charset} = $args{charset} || 'UTF-8';
59 $self->{cgi} = $args{cgi};
60 $self->{debug} = $args{debug} || 0;
61 + $self->{csrf} = $args{csrf} || 0;
62
63 if ($self->{cgi}) {
64 if ($args{sessiondir}) {
65 @@ -194,7 +196,11 @@
66 local $^W = 0;
67 $self->{cgi} = new CGI::Persistent $self->{sessiondir};
68 }
69 -
70 + # Create a CSRF token to compare later with. And store it in the session
71 + if ($self->{csrf} and not $self->{cgi}->param('csrf_token_compare')){
72 + $self->{cgi}->param(-name => 'csrf_token_compare', -value => Session::Token->new(entropy => 256)->get);
73 + $self->commit_session;
74 + }
75
76 foreach (qw(PREVIOUSBUTTON RESETBUTTON STARTOVERLINK NEXTBUTTON)) {
77 if (exists $args{$_}) {

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed