/[smeserver]/rpms/perl-CGI-FormMagick/sme9/perl-CGI-FormMagick-CSRFtimeout.patch
ViewVC logotype

Contents of /rpms/perl-CGI-FormMagick/sme9/perl-CGI-FormMagick-CSRFtimeout.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (show annotations) (download)
Sun Jan 27 20:29:25 2019 UTC (5 years, 10 months ago) by jpp
Branch: MAIN
* Sun Jan 27 2019 Jean-Philipe Pialasse <tests@pialasse.com> 0.93-6.sme
- add timeout 2min on CSRF token [SME: 10626]

1 --- /usr/share/perl5/vendor_perl/CGI/FormMagick/Events.pm.ori 2019-01-27 13:17:40.000000000 -0500
2 +++ /usr/share/perl5/vendor_perl/CGI/FormMagick/Events.pm 2019-01-27 14:35:18.143816986 -0500
3 @@ -83,8 +83,12 @@
4 $self->debug_msg("Validation successful.");
5
6 # Don't run any post event unless it's a POST request
7 + $self->debug_msg("Request method should be POST.") unless (($self->{cgi}->request_method || '') eq 'POST') ;
8 return unless (($self->{cgi}->request_method || '') eq 'POST');
9 - if ($self->{csrf} and ($self->{cgi}->param('csrf_token') || '') ne $self->{cgi}->param('csrf_token_compare')){
10 + if ($self->{csrf} and ( ($self->{cgi}->param('csrf_token') || '') ne $self->{cgi}->param('csrf_token_compare')
11 + or $self->{cgi}->param('csrf_timestamp') + 120 < time ) ) {
12 + # only 3 min to validate form
13 + $self->debug_msg("SRF protection blocked request");
14 warn "CSRF protection blocked request\n";
15 return $self->error($self->localise('CSRF_VALIDATION_FAILURE'));
16 }
17 @@ -142,8 +146,12 @@
18 $self->debug_msg("This is the page post-event.");
19
20 # Don't run any post event unless it's a POST request
21 + $self->debug_msg("Request method should be POST.") unless (($self->{cgi}->request_method || '') eq 'POST') ;
22 return unless (($self->{cgi}->request_method || '') eq 'POST');
23 - if ($self->{csrf} and ($self->{cgi}->param('csrf_token') || '') ne $self->{cgi}->param('csrf_token_compare')){
24 + if ($self->{csrf} and ( ($self->{cgi}->param('csrf_token') || '') ne $self->{cgi}->param('csrf_token_compare')
25 + or $self->{cgi}->param('csrf_timestamp') + 120 < time ) ) {
26 + # only 3 min to validate form
27 + $self->debug_msg("SRF protection blocked request");
28 warn "CSRF protection blocked request\n";
29 return $self->error($self->localise('CSRF_VALIDATION_FAILURE'));
30 }
31 --- /usr/share/perl5/vendor_perl/CGI/FormMagick.pm.ori 2019-01-27 13:17:40.000000000 -0500
32 +++ /usr/share/perl5/vendor_perl/CGI/FormMagick.pm 2019-01-27 14:32:14.186747779 -0500
33 @@ -202,6 +202,7 @@
34 # Create a CSRF token to compare later with. And store it in the session
35 if ($self->{csrf} and not $self->{cgi}->param('csrf_token_compare')){
36 $self->{cgi}->param(-name => 'csrf_token_compare', -value => Session::Token->new(entropy => 256)->get);
37 + $self->{cgi}->param(-name => 'csrf_timestamp', -value => time);
38 $self->commit_session;
39 }
40

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed