Mercurial > hg > fapweb

changeset 359:f7a806d5060f

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Add preliminary code for CSRF prevention via unique hash tokens. Not fully implemented yet.
author Matti Hamalainen <ccr@tnsp.org>
date Tue, 03 Dec 2013 10:58:46 +0200
parents 0244aeeab6e7
children 2af8458058ab
files majax.php msitegen.inc.php
diffstat 2 files changed, 10 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/majax.php	Tue Dec 03 10:31:37 2013 +0200
+++ b/majax.php	Tue Dec 03 10:58:46 2013 +0200
@@ -100,6 +100,10 @@
 
 function jsSendPOSTRequest(params, success, failure)
 {
+<?
+  if (($csrfID = stGetSessionItem("csrfID", FALSE)) !== FALSE)
+    echo "  params += \"&csrfID=".$csrfID."\";\n";
+?>
   var req = jsCreateXMLRequest();
   req.open("POST", "<? echo $backend ?>", true);
   req.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
--- a/msitegen.inc.php	Tue Dec 03 10:31:37 2013 +0200
+++ b/msitegen.inc.php	Tue Dec 03 10:58:46 2013 +0200
@@ -245,10 +245,15 @@
 
 function stGetFormStart($name, $action = "", $method = "post")
 {
-  return
+  $str =
     "<form name=\"".$name."\" action=\"".
     ($action != "" ? $action : $name).
     "\" method=\"".$method."\">\n";
+
+  if (($csrfID = stGetSessionItem("csrfID", FALSE)) !== FALSE)
+    $str .= stGetFormHiddenInput("csrfID", $csrfID)."\n";
+  
+  return $str;
 }