perl-CGI-FormMagick/sme9/perl-CGI-FormMagick-CSRFtimeout.patch

--- perl-CGI-FormMagick-0.93.old/lib/CGI/FormMagick/Events.pm   2019-01-27 13:17:40.000000000 -0500
+++ perl-CGI-FormMagick-0.93/lib/CGI/FormMagick/Events.pm       2019-01-27 14:35:18.143816986 -0500
@@ -83,8 +83,12 @@
         $self->debug_msg("Validation successful.");
 
         # Don't run any post event unless it's a POST request
+        $self->debug_msg("Request method should be POST.")  unless (($self->{cgi}->request_method || '') eq 'POST') ;
         return unless (($self->{cgi}->request_method || '') eq 'POST');
-        if ($self->{csrf} and ($self->{cgi}->param('csrf_token') || '') ne $self->{cgi}->param('csrf_token_compare')){
+        if ($self->{csrf} and ( ($self->{cgi}->param('csrf_token') || '') ne $self->{cgi}->param('csrf_token_compare')
+           or $self->{cgi}->param('csrf_timestamp') + 120  < time ) ) {
+           # only 3 min to validate form
+           $self->debug_msg("SRF protection blocked request");
             warn "CSRF protection blocked request\n";
             return $self->error($self->localise('CSRF_VALIDATION_FAILURE'));
         }
@@ -142,8 +146,12 @@
     $self->debug_msg("This is the page post-event.");
 
     # Don't run any post event unless it's a POST request
+    $self->debug_msg("Request method should be POST.")  unless (($self->{cgi}->request_method || '') eq 'POST') ;
     return unless (($self->{cgi}->request_method || '') eq 'POST');
-    if ($self->{csrf} and ($self->{cgi}->param('csrf_token') || '') ne $self->{cgi}->param('csrf_token_compare')){
+    if ($self->{csrf} and ( ($self->{cgi}->param('csrf_token') || '') ne $self->{cgi}->param('csrf_token_compare')
+       or $self->{cgi}->param('csrf_timestamp') + 120  < time ) ) {
+        # only 3 min to validate form
+        $self->debug_msg("SRF protection blocked request");
         warn "CSRF protection blocked request\n";
         return $self->error($self->localise('CSRF_VALIDATION_FAILURE'));
     }
--- perl-CGI-FormMagick-0.93.old/lib/CGI/FormMagick.pm  2019-01-27 13:17:40.000000000 -0500
+++ perl-CGI-FormMagick-0.93/lib/CGI/FormMagick.pm      2019-01-27 14:32:14.186747779 -0500
@@ -202,6 +202,7 @@
     # Create a CSRF token to compare later with. And store it in the session
     if ($self->{csrf} and not $self->{cgi}->param('csrf_token_compare')){
         $self->{cgi}->param(-name => 'csrf_token_compare', -value => Session::Token->new(entropy => 256)->get);
+       $self->{cgi}->param(-name => 'csrf_timestamp', -value =>  time);
         $self->commit_session;
     }
 
1	jpp	1.2	--- perl-CGI-FormMagick-0.93.old/lib/CGI/FormMagick/Events.pm 2019-01-27 13:17:40.000000000 -0500
2			+++ perl-CGI-FormMagick-0.93/lib/CGI/FormMagick/Events.pm 2019-01-27 14:35:18.143816986 -0500
3	jpp	1.1	@@ -83,8 +83,12 @@
4			$self->debug_msg("Validation successful.");
5
6			# Don't run any post event unless it's a POST request
7			+ $self->debug_msg("Request method should be POST.") unless (($self->{cgi}->request_method \|\| '') eq 'POST') ;
8			return unless (($self->{cgi}->request_method \|\| '') eq 'POST');
9			- if ($self->{csrf} and ($self->{cgi}->param('csrf_token') \|\| '') ne $self->{cgi}->param('csrf_token_compare')){
10			+ if ($self->{csrf} and ( ($self->{cgi}->param('csrf_token') \|\| '') ne $self->{cgi}->param('csrf_token_compare')
11			+ or $self->{cgi}->param('csrf_timestamp') + 120 < time ) ) {
12			+ # only 3 min to validate form
13			+ $self->debug_msg("SRF protection blocked request");
14			warn "CSRF protection blocked request\n";
15			return $self->error($self->localise('CSRF_VALIDATION_FAILURE'));
16			}
17			@@ -142,8 +146,12 @@
18			$self->debug_msg("This is the page post-event.");
19
20			# Don't run any post event unless it's a POST request
21			+ $self->debug_msg("Request method should be POST.") unless (($self->{cgi}->request_method \|\| '') eq 'POST') ;
22			return unless (($self->{cgi}->request_method \|\| '') eq 'POST');
23			- if ($self->{csrf} and ($self->{cgi}->param('csrf_token') \|\| '') ne $self->{cgi}->param('csrf_token_compare')){
24			+ if ($self->{csrf} and ( ($self->{cgi}->param('csrf_token') \|\| '') ne $self->{cgi}->param('csrf_token_compare')
25			+ or $self->{cgi}->param('csrf_timestamp') + 120 < time ) ) {
26			+ # only 3 min to validate form
27			+ $self->debug_msg("SRF protection blocked request");
28			warn "CSRF protection blocked request\n";
29			return $self->error($self->localise('CSRF_VALIDATION_FAILURE'));
30			}
31	jpp	1.2	--- perl-CGI-FormMagick-0.93.old/lib/CGI/FormMagick.pm 2019-01-27 13:17:40.000000000 -0500
32			+++ perl-CGI-FormMagick-0.93/lib/CGI/FormMagick.pm 2019-01-27 14:32:14.186747779 -0500
33	jpp	1.1	@@ -202,6 +202,7 @@
34			# Create a CSRF token to compare later with. And store it in the session
35			if ($self->{csrf} and not $self->{cgi}->param('csrf_token_compare')){
36			$self->{cgi}->param(-name => 'csrf_token_compare', -value => Session::Token->new(entropy => 256)->get);
37			+ $self->{cgi}->param(-name => 'csrf_timestamp', -value => time);
38			$self->commit_session;
39			}
40