aboutsummaryrefslogtreecommitdiff
path: root/IkiWiki/Plugin
diff options
context:
space:
mode:
authorJoey Hess <joey@kitenet.net>2010-05-14 14:21:45 -0400
committerJoey Hess <joey@kitenet.net>2010-05-14 14:21:45 -0400
commit8ff761afa24febdb280c672b3b31d6145990f050 (patch)
tree3d00cbd45d48833c0d7e8084b5da1739ff11030f /IkiWiki/Plugin
parentab3efb21d9f3c43cf01e5d1be5a55cf7a233adfb (diff)
downloadikiwiki-8ff761afa24febdb280c672b3b31d6145990f050.tar
ikiwiki-8ff761afa24febdb280c672b3b31d6145990f050.tar.gz
remove, rename: Add guards against XSRF attacks.
Diffstat (limited to 'IkiWiki/Plugin')
-rw-r--r--IkiWiki/Plugin/remove.pm4
-rw-r--r--IkiWiki/Plugin/rename.pm4
2 files changed, 8 insertions, 0 deletions
diff --git a/IkiWiki/Plugin/remove.pm b/IkiWiki/Plugin/remove.pm
index a46294e78..d23b2cc10 100644
--- a/IkiWiki/Plugin/remove.pm
+++ b/IkiWiki/Plugin/remove.pm
@@ -107,6 +107,8 @@ sub confirmation_form ($$) {
fields => [qw{do page}],
);
+ $f->field(name => "sid", type => "hidden", value => $session->id,
+ force => 1);
$f->field(name => "do", type => "hidden", value => "remove", force => 1);
return $f, ["Remove", "Cancel"];
@@ -188,6 +190,8 @@ sub sessioncgi ($$) {
postremove($session);
}
elsif ($form->submitted eq 'Remove' && $form->validate) {
+ IkiWiki::checksessionexpiry($q, $session, $q->param('sid'));
+
my @pages=$form->field("page");
# Validate removal by checking that the page exists,
diff --git a/IkiWiki/Plugin/rename.pm b/IkiWiki/Plugin/rename.pm
index 537e91317..0da90a538 100644
--- a/IkiWiki/Plugin/rename.pm
+++ b/IkiWiki/Plugin/rename.pm
@@ -131,6 +131,8 @@ sub rename_form ($$$) {
);
$f->field(name => "do", type => "hidden", value => "rename", force => 1);
+ $f->field(name => "sid", type => "hidden", value => $session->id,
+ force => 1);
$f->field(name => "page", type => "hidden", value => $page, force => 1);
$f->field(name => "new_name", value => pagetitle($page, 1), size => 60);
if (!$q->param("attachment")) {
@@ -286,6 +288,8 @@ sub sessioncgi ($$) {
postrename($session);
}
elsif ($form->submitted eq 'Rename' && $form->validate) {
+ IkiWiki::checksessionexpiry($q, $session, $q->param('sid'));
+
# Queue of rename actions to perfom.
my @torename;