diff options
author | Joey Hess <joey@kitenet.net> | 2010-05-14 14:21:45 -0400 |
---|---|---|
committer | Joey Hess <joey@kitenet.net> | 2010-05-14 14:21:45 -0400 |
commit | 8ff761afa24febdb280c672b3b31d6145990f050 (patch) | |
tree | 3d00cbd45d48833c0d7e8084b5da1739ff11030f /IkiWiki/Plugin | |
parent | ab3efb21d9f3c43cf01e5d1be5a55cf7a233adfb (diff) | |
download | ikiwiki-8ff761afa24febdb280c672b3b31d6145990f050.tar ikiwiki-8ff761afa24febdb280c672b3b31d6145990f050.tar.gz |
remove, rename: Add guards against XSRF attacks.
Diffstat (limited to 'IkiWiki/Plugin')
-rw-r--r-- | IkiWiki/Plugin/remove.pm | 4 | ||||
-rw-r--r-- | IkiWiki/Plugin/rename.pm | 4 |
2 files changed, 8 insertions, 0 deletions
diff --git a/IkiWiki/Plugin/remove.pm b/IkiWiki/Plugin/remove.pm index a46294e78..d23b2cc10 100644 --- a/IkiWiki/Plugin/remove.pm +++ b/IkiWiki/Plugin/remove.pm @@ -107,6 +107,8 @@ sub confirmation_form ($$) { fields => [qw{do page}], ); + $f->field(name => "sid", type => "hidden", value => $session->id, + force => 1); $f->field(name => "do", type => "hidden", value => "remove", force => 1); return $f, ["Remove", "Cancel"]; @@ -188,6 +190,8 @@ sub sessioncgi ($$) { postremove($session); } elsif ($form->submitted eq 'Remove' && $form->validate) { + IkiWiki::checksessionexpiry($q, $session, $q->param('sid')); + my @pages=$form->field("page"); # Validate removal by checking that the page exists, diff --git a/IkiWiki/Plugin/rename.pm b/IkiWiki/Plugin/rename.pm index 537e91317..0da90a538 100644 --- a/IkiWiki/Plugin/rename.pm +++ b/IkiWiki/Plugin/rename.pm @@ -131,6 +131,8 @@ sub rename_form ($$$) { ); $f->field(name => "do", type => "hidden", value => "rename", force => 1); + $f->field(name => "sid", type => "hidden", value => $session->id, + force => 1); $f->field(name => "page", type => "hidden", value => $page, force => 1); $f->field(name => "new_name", value => pagetitle($page, 1), size => 60); if (!$q->param("attachment")) { @@ -286,6 +288,8 @@ sub sessioncgi ($$) { postrename($session); } elsif ($form->submitted eq 'Rename' && $form->validate) { + IkiWiki::checksessionexpiry($q, $session, $q->param('sid')); + # Queue of rename actions to perfom. my @torename; |