/[smeserver]/rpms/perl-CGI-FormMagick/sme9/perl-CGI-FormMagick-0.93-csrf.patch
ViewVC logotype

Diff of /rpms/perl-CGI-FormMagick/sme9/perl-CGI-FormMagick-0.93-csrf.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph | View Patch Patch

Revision 1.1 by jcrisp, Mon Oct 22 13:50:37 2018 UTC Revision 1.2 by jpp, Sun Jan 27 18:16:55 2019 UTC
# Line 1  Line 1 
1  diff -ruN perl-CGI-FormMagick-0.93.old/lib/CGI/FormMagick/Events.pm perl-CGI-FormMagick-0.93/lib/CGI/FormMagick/Events.pm  diff -Nur perl-CGI-FormMagick-0.93/lib/CGI/FormMagick/Events.pm perl-CGI-FormMagick-0.93_bz10626/lib/CGI/FormMagick/Events.pm
2  --- perl-CGI-FormMagick-0.93.old/lib/CGI/FormMagick/Events.pm   2018-10-22 15:37:29.557795203 +0200  --- perl-CGI-FormMagick-0.93/lib/CGI/FormMagick/Events.pm       2005-10-31 18:24:02.000000000 +0100
3  +++ perl-CGI-FormMagick-0.93/lib/CGI/FormMagick/Events.pm       2018-10-22 15:39:25.003464188 +0200  +++ perl-CGI-FormMagick-0.93_bz10626/lib/CGI/FormMagick/Events.pm       2018-10-10 08:17:20.871139677 +0200
4  @@ -130,6 +130,11 @@  @@ -79,6 +79,13 @@
5         } else {
6             $self->debug_msg("Validation successful.");
7    
8    +        # Don't run any post event unless it's a POST request
9    +        return unless (($self->{cgi}->request_method || '') eq 'POST');
10    +        if ($self->{csrf} and ($self->{cgi}->param('csrf_token') || '') ne $self->{cgi}->param('csrf_token_compare')){
11    +            warn "CSRF protection blocked request\n";
12    +            return $self->error($self->localise('CSRF_VALIDATION_FAILURE'));
13    +        }
14    +
15             # find out what the form post_event action is.
16             my $post_form_routine = $self->{xml}->{'post-event'};
17    
18    @@ -130,6 +137,14 @@
19   sub page_post_event {   sub page_post_event {
20       my ($self) = @_;       my ($self) = @_;
21       $self->debug_msg("This is the page post-event.");       $self->debug_msg("This is the page post-event.");
22  +    if ($self->{csrf} and ($self->{cgi}->request_method || 'POST') eq 'POST' and  +
23  +       ($self->{cgi}->param('csrf_token') || '') ne $self->{cgi}->param('csrf_token_compare')){  +    # Don't run any post event unless it's a POST request
24    +    return unless (($self->{cgi}->request_method || '') eq 'POST');
25    +    if ($self->{csrf} and ($self->{cgi}->param('csrf_token') || '') ne $self->{cgi}->param('csrf_token_compare')){
26  +        warn "CSRF protection blocked request\n";  +        warn "CSRF protection blocked request\n";
27  +        return $self->error($self->localise('CSRF_VALIDATION_FAILURE'));  +        return $self->error($self->localise('CSRF_VALIDATION_FAILURE'));
28  +    }  +    }
29    +
30       if (my $post_page_routine = $self->page->{'post-event'}) {       if (my $post_page_routine = $self->page->{'post-event'}) {
31         $self->debug_msg("The post-routine is $post_page_routine");         $self->debug_msg("The post-routine is $post_page_routine");
32         $self->do_external_routine($post_page_routine);         $self->do_external_routine($post_page_routine);
33  diff -ruN perl-CGI-FormMagick-0.93.old/lib/CGI/FormMagick/HTML.pm perl-CGI-FormMagick-0.93/lib/CGI/FormMagick/HTML.pm  diff -Nur perl-CGI-FormMagick-0.93/lib/CGI/FormMagick/HTML.pm perl-CGI-FormMagick-0.93_bz10626/lib/CGI/FormMagick/HTML.pm
34  --- perl-CGI-FormMagick-0.93.old/lib/CGI/FormMagick/HTML.pm     2018-10-22 15:37:29.574796035 +0200  --- perl-CGI-FormMagick-0.93/lib/CGI/FormMagick/HTML.pm 2018-10-09 16:57:49.511171415 +0200
35  +++ perl-CGI-FormMagick-0.93/lib/CGI/FormMagick/HTML.pm 2018-10-22 15:39:59.995182470 +0200  +++ perl-CGI-FormMagick-0.93_bz10626/lib/CGI/FormMagick/HTML.pm 2018-10-09 17:01:20.380167138 +0200
36  @@ -182,6 +182,9 @@  @@ -182,6 +182,9 @@
37       print qq(  <input type="hidden" name="page" value="$fm->{page_number}">\n);       print qq(  <input type="hidden" name="page" value="$fm->{page_number}">\n);
38       print qq(  <input type="hidden" name="page_stack" value="$fm->{page_stack}">\n);       print qq(  <input type="hidden" name="page_stack" value="$fm->{page_stack}">\n);
# Line 26  diff -ruN perl-CGI-FormMagick-0.93.old/l Line 43  diff -ruN perl-CGI-FormMagick-0.93.old/l
43       print "  <table class=\"sme-noborders\">\n";       print "  <table class=\"sme-noborders\">\n";
44    
45       if ($menu)       if ($menu)
46  diff -ruN perl-CGI-FormMagick-0.93.old/lib/CGI/FormMagick.pm perl-CGI-FormMagick-0.93/lib/CGI/FormMagick.pm  diff -Nur perl-CGI-FormMagick-0.93/lib/CGI/FormMagick.pm perl-CGI-FormMagick-0.93_bz10626/lib/CGI/FormMagick.pm
47  --- perl-CGI-FormMagick-0.93.old/lib/CGI/FormMagick.pm  2018-10-22 15:37:29.557795203 +0200  --- perl-CGI-FormMagick-0.93/lib/CGI/FormMagick.pm      2013-01-25 18:31:36.000000000 +0100
48  +++ perl-CGI-FormMagick-0.93/lib/CGI/FormMagick.pm      2018-10-22 15:41:24.889351176 +0200  +++ perl-CGI-FormMagick-0.93_bz10626/lib/CGI/FormMagick.pm      2018-10-09 17:00:30.323930724 +0200
49  @@ -24,6 +24,7 @@  @@ -24,6 +24,7 @@
50   use CGI::FormMagick::Utils;   use CGI::FormMagick::Utils;
51   use CGI::FormMagick::Sub;   use CGI::FormMagick::Sub;
# Line 45  diff -ruN perl-CGI-FormMagick-0.93.old/l Line 62  diff -ruN perl-CGI-FormMagick-0.93.old/l
62    
63       if ($self->{cgi}) {       if ($self->{cgi}) {
64           if ($args{sessiondir}) {           if ($args{sessiondir}) {
65  @@ -195,6 +197,11 @@  @@ -194,7 +196,11 @@
66             local $^W = 0;
67           $self->{cgi} = new CGI::Persistent $self->{sessiondir};           $self->{cgi} = new CGI::Persistent $self->{sessiondir};
68       }       }
69    -
70  +    # Create a CSRF token to compare later with. And store it in the session  +    # Create a CSRF token to compare later with. And store it in the session
71  +    if ($self->{csrf} and not $self->{cgi}->param('csrf_token_compare')){  +    if ($self->{csrf} and not $self->{cgi}->param('csrf_token_compare')){
72  +        $self->{cgi}->param(-name => 'csrf_token_compare', -value => Session::Token->new(entropy => 256)->get);  +        $self->{cgi}->param(-name => 'csrf_token_compare', -value => Session::Token->new(entropy => 256)->get);


Legend:
Removed lines/characters  
Changed lines/characters
  Added lines/characters

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed