/[smeserver]/rpms/perl-CGI-FormMagick/sme9/perl-CGI-FormMagick-CSRFtimeout.patch
ViewVC logotype

Annotation of /rpms/perl-CGI-FormMagick/sme9/perl-CGI-FormMagick-CSRFtimeout.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (hide annotations) (download)
Sun Jan 27 20:29:25 2019 UTC (5 years, 10 months ago) by jpp
Branch: MAIN
* Sun Jan 27 2019 Jean-Philipe Pialasse <tests@pialasse.com> 0.93-6.sme
- add timeout 2min on CSRF token [SME: 10626]

1 jpp 1.1 --- /usr/share/perl5/vendor_perl/CGI/FormMagick/Events.pm.ori 2019-01-27 13:17:40.000000000 -0500
2     +++ /usr/share/perl5/vendor_perl/CGI/FormMagick/Events.pm 2019-01-27 14:35:18.143816986 -0500
3     @@ -83,8 +83,12 @@
4     $self->debug_msg("Validation successful.");
5    
6     # Don't run any post event unless it's a POST request
7     + $self->debug_msg("Request method should be POST.") unless (($self->{cgi}->request_method || '') eq 'POST') ;
8     return unless (($self->{cgi}->request_method || '') eq 'POST');
9     - if ($self->{csrf} and ($self->{cgi}->param('csrf_token') || '') ne $self->{cgi}->param('csrf_token_compare')){
10     + if ($self->{csrf} and ( ($self->{cgi}->param('csrf_token') || '') ne $self->{cgi}->param('csrf_token_compare')
11     + or $self->{cgi}->param('csrf_timestamp') + 120 < time ) ) {
12     + # only 3 min to validate form
13     + $self->debug_msg("SRF protection blocked request");
14     warn "CSRF protection blocked request\n";
15     return $self->error($self->localise('CSRF_VALIDATION_FAILURE'));
16     }
17     @@ -142,8 +146,12 @@
18     $self->debug_msg("This is the page post-event.");
19    
20     # Don't run any post event unless it's a POST request
21     + $self->debug_msg("Request method should be POST.") unless (($self->{cgi}->request_method || '') eq 'POST') ;
22     return unless (($self->{cgi}->request_method || '') eq 'POST');
23     - if ($self->{csrf} and ($self->{cgi}->param('csrf_token') || '') ne $self->{cgi}->param('csrf_token_compare')){
24     + if ($self->{csrf} and ( ($self->{cgi}->param('csrf_token') || '') ne $self->{cgi}->param('csrf_token_compare')
25     + or $self->{cgi}->param('csrf_timestamp') + 120 < time ) ) {
26     + # only 3 min to validate form
27     + $self->debug_msg("SRF protection blocked request");
28     warn "CSRF protection blocked request\n";
29     return $self->error($self->localise('CSRF_VALIDATION_FAILURE'));
30     }
31     --- /usr/share/perl5/vendor_perl/CGI/FormMagick.pm.ori 2019-01-27 13:17:40.000000000 -0500
32     +++ /usr/share/perl5/vendor_perl/CGI/FormMagick.pm 2019-01-27 14:32:14.186747779 -0500
33     @@ -202,6 +202,7 @@
34     # Create a CSRF token to compare later with. And store it in the session
35     if ($self->{csrf} and not $self->{cgi}->param('csrf_token_compare')){
36     $self->{cgi}->param(-name => 'csrf_token_compare', -value => Session::Token->new(entropy => 256)->get);
37     + $self->{cgi}->param(-name => 'csrf_timestamp', -value => time);
38     $self->commit_session;
39     }
40    

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed