perl-CGI-FormMagick/perl-CGI-FormMagick-CSRFtimeout.patch

41 lines
2.4 KiB
Diff
Raw Normal View History

--- perl-CGI-FormMagick-0.93.old/lib/CGI/FormMagick/Events.pm 2019-01-27 13:17:40.000000000 -0500
+++ perl-CGI-FormMagick-0.93/lib/CGI/FormMagick/Events.pm 2019-01-27 14:35:18.143816986 -0500
@@ -83,8 +83,12 @@
$self->debug_msg("Validation successful.");
# Don't run any post event unless it's a POST request
+ $self->debug_msg("Request method should be POST.") unless (($self->{cgi}->request_method || '') eq 'POST') ;
return unless (($self->{cgi}->request_method || '') eq 'POST');
- if ($self->{csrf} and ($self->{cgi}->param('csrf_token') || '') ne $self->{cgi}->param('csrf_token_compare')){
+ if ($self->{csrf} and ( ($self->{cgi}->param('csrf_token') || '') ne $self->{cgi}->param('csrf_token_compare')
+ or $self->{cgi}->param('csrf_timestamp') + 120 < time ) ) {
+ # only 3 min to validate form
+ $self->debug_msg("SRF protection blocked request");
warn "CSRF protection blocked request\n";
return $self->error($self->localise('CSRF_VALIDATION_FAILURE'));
}
@@ -142,8 +146,12 @@
$self->debug_msg("This is the page post-event.");
# Don't run any post event unless it's a POST request
+ $self->debug_msg("Request method should be POST.") unless (($self->{cgi}->request_method || '') eq 'POST') ;
return unless (($self->{cgi}->request_method || '') eq 'POST');
- if ($self->{csrf} and ($self->{cgi}->param('csrf_token') || '') ne $self->{cgi}->param('csrf_token_compare')){
+ if ($self->{csrf} and ( ($self->{cgi}->param('csrf_token') || '') ne $self->{cgi}->param('csrf_token_compare')
+ or $self->{cgi}->param('csrf_timestamp') + 120 < time ) ) {
+ # only 3 min to validate form
+ $self->debug_msg("SRF protection blocked request");
warn "CSRF protection blocked request\n";
return $self->error($self->localise('CSRF_VALIDATION_FAILURE'));
}
--- perl-CGI-FormMagick-0.93.old/lib/CGI/FormMagick.pm 2019-01-27 13:17:40.000000000 -0500
+++ perl-CGI-FormMagick-0.93/lib/CGI/FormMagick.pm 2019-01-27 14:32:14.186747779 -0500
@@ -202,6 +202,7 @@
# Create a CSRF token to compare later with. And store it in the session
if ($self->{csrf} and not $self->{cgi}->param('csrf_token_compare')){
$self->{cgi}->param(-name => 'csrf_token_compare', -value => Session::Token->new(entropy => 256)->get);
+ $self->{cgi}->param(-name => 'csrf_timestamp', -value => time);
$self->commit_session;
}