perl-CGI-FormMagick/perl-CGI-FormMagick-0.93-csrf.patch

78 lines
3.6 KiB
Diff
Raw Permalink Normal View History

diff -Nur perl-CGI-FormMagick-0.93/lib/CGI/FormMagick/Events.pm perl-CGI-FormMagick-0.93_bz10626/lib/CGI/FormMagick/Events.pm
--- perl-CGI-FormMagick-0.93/lib/CGI/FormMagick/Events.pm 2005-10-31 18:24:02.000000000 +0100
+++ perl-CGI-FormMagick-0.93_bz10626/lib/CGI/FormMagick/Events.pm 2018-10-10 08:17:20.871139677 +0200
@@ -79,6 +79,13 @@
} else {
$self->debug_msg("Validation successful.");
+ # Don't run any post event unless it's a POST request
+ return unless (($self->{cgi}->request_method || '') eq 'POST');
+ if ($self->{csrf} and ($self->{cgi}->param('csrf_token') || '') ne $self->{cgi}->param('csrf_token_compare')){
+ warn "CSRF protection blocked request\n";
+ return $self->error($self->localise('CSRF_VALIDATION_FAILURE'));
+ }
+
# find out what the form post_event action is.
my $post_form_routine = $self->{xml}->{'post-event'};
@@ -130,6 +137,14 @@
sub page_post_event {
my ($self) = @_;
$self->debug_msg("This is the page post-event.");
+
+ # Don't run any post event unless it's a POST request
+ return unless (($self->{cgi}->request_method || '') eq 'POST');
+ if ($self->{csrf} and ($self->{cgi}->param('csrf_token') || '') ne $self->{cgi}->param('csrf_token_compare')){
+ warn "CSRF protection blocked request\n";
+ return $self->error($self->localise('CSRF_VALIDATION_FAILURE'));
+ }
+
if (my $post_page_routine = $self->page->{'post-event'}) {
$self->debug_msg("The post-routine is $post_page_routine");
$self->do_external_routine($post_page_routine);
diff -Nur perl-CGI-FormMagick-0.93/lib/CGI/FormMagick/HTML.pm perl-CGI-FormMagick-0.93_bz10626/lib/CGI/FormMagick/HTML.pm
--- perl-CGI-FormMagick-0.93/lib/CGI/FormMagick/HTML.pm 2018-10-09 16:57:49.511171415 +0200
+++ perl-CGI-FormMagick-0.93_bz10626/lib/CGI/FormMagick/HTML.pm 2018-10-09 17:01:20.380167138 +0200
@@ -182,6 +182,9 @@
print qq( <input type="hidden" name="page" value="$fm->{page_number}">\n);
print qq( <input type="hidden" name="page_stack" value="$fm->{page_stack}">\n);
print " ",$fm->{cgi}->state_field(), "\n"; # hidden field with state ID
+ if ($fm->{cgi}->param('csrf_token_compare')){
+ print " <input type=\"hidden\" name=\"csrf_token\" value=\"" . $fm->{cgi}->param('csrf_token_compare') . "\">\n";
+ }
print " <table class=\"sme-noborders\">\n";
if ($menu)
diff -Nur perl-CGI-FormMagick-0.93/lib/CGI/FormMagick.pm perl-CGI-FormMagick-0.93_bz10626/lib/CGI/FormMagick.pm
--- perl-CGI-FormMagick-0.93/lib/CGI/FormMagick.pm 2013-01-25 18:31:36.000000000 +0100
+++ perl-CGI-FormMagick-0.93_bz10626/lib/CGI/FormMagick.pm 2018-10-09 17:00:30.323930724 +0200
@@ -24,6 +24,7 @@
use CGI::FormMagick::Utils;
use CGI::FormMagick::Sub;
use File::Basename;
+use Session::Token;
use strict;
use Carp;
@@ -181,6 +182,7 @@
$self->{charset} = $args{charset} || 'UTF-8';
$self->{cgi} = $args{cgi};
$self->{debug} = $args{debug} || 0;
+ $self->{csrf} = $args{csrf} || 0;
if ($self->{cgi}) {
if ($args{sessiondir}) {
@@ -194,7 +196,11 @@
local $^W = 0;
$self->{cgi} = new CGI::Persistent $self->{sessiondir};
}
-
+ # Create a CSRF token to compare later with. And store it in the session
+ if ($self->{csrf} and not $self->{cgi}->param('csrf_token_compare')){
+ $self->{cgi}->param(-name => 'csrf_token_compare', -value => Session::Token->new(entropy => 256)->get);
+ $self->commit_session;
+ }
foreach (qw(PREVIOUSBUTTON RESETBUTTON STARTOVERLINK NEXTBUTTON)) {
if (exists $args{$_}) {