1 |
jpp |
1.1 |
--- /usr/share/perl5/vendor_perl/CGI/FormMagick/Events.pm.ori 2019-01-27 13:17:40.000000000 -0500 |
2 |
|
|
+++ /usr/share/perl5/vendor_perl/CGI/FormMagick/Events.pm 2019-01-27 14:35:18.143816986 -0500 |
3 |
|
|
@@ -83,8 +83,12 @@ |
4 |
|
|
$self->debug_msg("Validation successful."); |
5 |
|
|
|
6 |
|
|
# Don't run any post event unless it's a POST request |
7 |
|
|
+ $self->debug_msg("Request method should be POST.") unless (($self->{cgi}->request_method || '') eq 'POST') ; |
8 |
|
|
return unless (($self->{cgi}->request_method || '') eq 'POST'); |
9 |
|
|
- if ($self->{csrf} and ($self->{cgi}->param('csrf_token') || '') ne $self->{cgi}->param('csrf_token_compare')){ |
10 |
|
|
+ if ($self->{csrf} and ( ($self->{cgi}->param('csrf_token') || '') ne $self->{cgi}->param('csrf_token_compare') |
11 |
|
|
+ or $self->{cgi}->param('csrf_timestamp') + 120 < time ) ) { |
12 |
|
|
+ # only 3 min to validate form |
13 |
|
|
+ $self->debug_msg("SRF protection blocked request"); |
14 |
|
|
warn "CSRF protection blocked request\n"; |
15 |
|
|
return $self->error($self->localise('CSRF_VALIDATION_FAILURE')); |
16 |
|
|
} |
17 |
|
|
@@ -142,8 +146,12 @@ |
18 |
|
|
$self->debug_msg("This is the page post-event."); |
19 |
|
|
|
20 |
|
|
# Don't run any post event unless it's a POST request |
21 |
|
|
+ $self->debug_msg("Request method should be POST.") unless (($self->{cgi}->request_method || '') eq 'POST') ; |
22 |
|
|
return unless (($self->{cgi}->request_method || '') eq 'POST'); |
23 |
|
|
- if ($self->{csrf} and ($self->{cgi}->param('csrf_token') || '') ne $self->{cgi}->param('csrf_token_compare')){ |
24 |
|
|
+ if ($self->{csrf} and ( ($self->{cgi}->param('csrf_token') || '') ne $self->{cgi}->param('csrf_token_compare') |
25 |
|
|
+ or $self->{cgi}->param('csrf_timestamp') + 120 < time ) ) { |
26 |
|
|
+ # only 3 min to validate form |
27 |
|
|
+ $self->debug_msg("SRF protection blocked request"); |
28 |
|
|
warn "CSRF protection blocked request\n"; |
29 |
|
|
return $self->error($self->localise('CSRF_VALIDATION_FAILURE')); |
30 |
|
|
} |
31 |
|
|
--- /usr/share/perl5/vendor_perl/CGI/FormMagick.pm.ori 2019-01-27 13:17:40.000000000 -0500 |
32 |
|
|
+++ /usr/share/perl5/vendor_perl/CGI/FormMagick.pm 2019-01-27 14:32:14.186747779 -0500 |
33 |
|
|
@@ -202,6 +202,7 @@ |
34 |
|
|
# Create a CSRF token to compare later with. And store it in the session |
35 |
|
|
if ($self->{csrf} and not $self->{cgi}->param('csrf_token_compare')){ |
36 |
|
|
$self->{cgi}->param(-name => 'csrf_token_compare', -value => Session::Token->new(entropy => 256)->get); |
37 |
|
|
+ $self->{cgi}->param(-name => 'csrf_timestamp', -value => time); |
38 |
|
|
$self->commit_session; |
39 |
|
|
} |
40 |
|
|
|