--- rpms/perl-CGI-FormMagick/sme9/perl-CGI-FormMagick-0.93-csrf.patch 2018/10/22 13:50:37 1.1
+++ rpms/perl-CGI-FormMagick/sme9/perl-CGI-FormMagick-0.93-csrf.patch 2019/01/27 18:16:55 1.2
@@ -1,21 +1,38 @@
-diff -ruN perl-CGI-FormMagick-0.93.old/lib/CGI/FormMagick/Events.pm perl-CGI-FormMagick-0.93/lib/CGI/FormMagick/Events.pm
---- perl-CGI-FormMagick-0.93.old/lib/CGI/FormMagick/Events.pm 2018-10-22 15:37:29.557795203 +0200
-+++ perl-CGI-FormMagick-0.93/lib/CGI/FormMagick/Events.pm 2018-10-22 15:39:25.003464188 +0200
-@@ -130,6 +130,11 @@
+diff -Nur perl-CGI-FormMagick-0.93/lib/CGI/FormMagick/Events.pm perl-CGI-FormMagick-0.93_bz10626/lib/CGI/FormMagick/Events.pm
+--- perl-CGI-FormMagick-0.93/lib/CGI/FormMagick/Events.pm 2005-10-31 18:24:02.000000000 +0100
++++ perl-CGI-FormMagick-0.93_bz10626/lib/CGI/FormMagick/Events.pm 2018-10-10 08:17:20.871139677 +0200
+@@ -79,6 +79,13 @@
+ } else {
+ $self->debug_msg("Validation successful.");
+
++ # Don't run any post event unless it's a POST request
++ return unless (($self->{cgi}->request_method || '') eq 'POST');
++ if ($self->{csrf} and ($self->{cgi}->param('csrf_token') || '') ne $self->{cgi}->param('csrf_token_compare')){
++ warn "CSRF protection blocked request\n";
++ return $self->error($self->localise('CSRF_VALIDATION_FAILURE'));
++ }
++
+ # find out what the form post_event action is.
+ my $post_form_routine = $self->{xml}->{'post-event'};
+
+@@ -130,6 +137,14 @@
sub page_post_event {
my ($self) = @_;
$self->debug_msg("This is the page post-event.");
-+ if ($self->{csrf} and ($self->{cgi}->request_method || 'POST') eq 'POST' and
-+ ($self->{cgi}->param('csrf_token') || '') ne $self->{cgi}->param('csrf_token_compare')){
++
++ # Don't run any post event unless it's a POST request
++ return unless (($self->{cgi}->request_method || '') eq 'POST');
++ if ($self->{csrf} and ($self->{cgi}->param('csrf_token') || '') ne $self->{cgi}->param('csrf_token_compare')){
+ warn "CSRF protection blocked request\n";
+ return $self->error($self->localise('CSRF_VALIDATION_FAILURE'));
+ }
++
if (my $post_page_routine = $self->page->{'post-event'}) {
$self->debug_msg("The post-routine is $post_page_routine");
$self->do_external_routine($post_page_routine);
-diff -ruN perl-CGI-FormMagick-0.93.old/lib/CGI/FormMagick/HTML.pm perl-CGI-FormMagick-0.93/lib/CGI/FormMagick/HTML.pm
---- perl-CGI-FormMagick-0.93.old/lib/CGI/FormMagick/HTML.pm 2018-10-22 15:37:29.574796035 +0200
-+++ perl-CGI-FormMagick-0.93/lib/CGI/FormMagick/HTML.pm 2018-10-22 15:39:59.995182470 +0200
+diff -Nur perl-CGI-FormMagick-0.93/lib/CGI/FormMagick/HTML.pm perl-CGI-FormMagick-0.93_bz10626/lib/CGI/FormMagick/HTML.pm
+--- perl-CGI-FormMagick-0.93/lib/CGI/FormMagick/HTML.pm 2018-10-09 16:57:49.511171415 +0200
++++ perl-CGI-FormMagick-0.93_bz10626/lib/CGI/FormMagick/HTML.pm 2018-10-09 17:01:20.380167138 +0200
@@ -182,6 +182,9 @@
print qq( \n);
print qq( \n);
@@ -26,9 +43,9 @@ diff -ruN perl-CGI-FormMagick-0.93.old/l
print " \n";
if ($menu)
-diff -ruN perl-CGI-FormMagick-0.93.old/lib/CGI/FormMagick.pm perl-CGI-FormMagick-0.93/lib/CGI/FormMagick.pm
---- perl-CGI-FormMagick-0.93.old/lib/CGI/FormMagick.pm 2018-10-22 15:37:29.557795203 +0200
-+++ perl-CGI-FormMagick-0.93/lib/CGI/FormMagick.pm 2018-10-22 15:41:24.889351176 +0200
+diff -Nur perl-CGI-FormMagick-0.93/lib/CGI/FormMagick.pm perl-CGI-FormMagick-0.93_bz10626/lib/CGI/FormMagick.pm
+--- perl-CGI-FormMagick-0.93/lib/CGI/FormMagick.pm 2013-01-25 18:31:36.000000000 +0100
++++ perl-CGI-FormMagick-0.93_bz10626/lib/CGI/FormMagick.pm 2018-10-09 17:00:30.323930724 +0200
@@ -24,6 +24,7 @@
use CGI::FormMagick::Utils;
use CGI::FormMagick::Sub;
@@ -45,10 +62,11 @@ diff -ruN perl-CGI-FormMagick-0.93.old/l
if ($self->{cgi}) {
if ($args{sessiondir}) {
-@@ -195,6 +197,11 @@
+@@ -194,7 +196,11 @@
+ local $^W = 0;
$self->{cgi} = new CGI::Persistent $self->{sessiondir};
}
-
+-
+ # Create a CSRF token to compare later with. And store it in the session
+ if ($self->{csrf} and not $self->{cgi}->param('csrf_token_compare')){
+ $self->{cgi}->param(-name => 'csrf_token_compare', -value => Session::Token->new(entropy => 256)->get);