perl-CGI-FormMagick/perl-CGI-FormMagick-CSRFtimeout.patch

--- perl-CGI-FormMagick-0.93.old/lib/CGI/FormMagick/Events.pm	2019-01-27 13:17:40.000000000 -0500
+++ perl-CGI-FormMagick-0.93/lib/CGI/FormMagick/Events.pm	2019-01-27 14:35:18.143816986 -0500
@@ -83,8 +83,12 @@
         $self->debug_msg("Validation successful.");
 
         # Don't run any post event unless it's a POST request
+        $self->debug_msg("Request method should be POST.")  unless (($self->{cgi}->request_method || '') eq 'POST') ;
         return unless (($self->{cgi}->request_method || '') eq 'POST');
-        if ($self->{csrf} and ($self->{cgi}->param('csrf_token') || '') ne $self->{cgi}->param('csrf_token_compare')){
+        if ($self->{csrf} and ( ($self->{cgi}->param('csrf_token') || '') ne $self->{cgi}->param('csrf_token_compare')
+           or $self->{cgi}->param('csrf_timestamp') + 120  < time ) ) {
+	    # only 3 min to validate form
+	    $self->debug_msg("SRF protection blocked request");
             warn "CSRF protection blocked request\n";
             return $self->error($self->localise('CSRF_VALIDATION_FAILURE'));
         }
@@ -142,8 +146,12 @@
     $self->debug_msg("This is the page post-event.");
 
     # Don't run any post event unless it's a POST request
+    $self->debug_msg("Request method should be POST.")  unless (($self->{cgi}->request_method || '') eq 'POST') ;
     return unless (($self->{cgi}->request_method || '') eq 'POST');
-    if ($self->{csrf} and ($self->{cgi}->param('csrf_token') || '') ne $self->{cgi}->param('csrf_token_compare')){
+    if ($self->{csrf} and ( ($self->{cgi}->param('csrf_token') || '') ne $self->{cgi}->param('csrf_token_compare')
+       or $self->{cgi}->param('csrf_timestamp') + 120  < time ) ) {
+        # only 3 min to validate form
+        $self->debug_msg("SRF protection blocked request");
         warn "CSRF protection blocked request\n";
         return $self->error($self->localise('CSRF_VALIDATION_FAILURE'));
     }
--- perl-CGI-FormMagick-0.93.old/lib/CGI/FormMagick.pm	2019-01-27 13:17:40.000000000 -0500
+++ perl-CGI-FormMagick-0.93/lib/CGI/FormMagick.pm	2019-01-27 14:32:14.186747779 -0500
@@ -202,6 +202,7 @@
     # Create a CSRF token to compare later with. And store it in the session
     if ($self->{csrf} and not $self->{cgi}->param('csrf_token_compare')){
         $self->{cgi}->param(-name => 'csrf_token_compare', -value => Session::Token->new(entropy => 256)->get);
+	$self->{cgi}->param(-name => 'csrf_timestamp', -value =>  time);
         $self->commit_session;
     }
initial commit of file from CVS for perl-CGI-FormMagick on Fri 14 Jul 13:55:09 BST 2023 2023-07-14 14:55:09 +02:00			`--- perl-CGI-FormMagick-0.93.old/lib/CGI/FormMagick/Events.pm 2019-01-27 13:17:40.000000000 -0500`
			`+++ perl-CGI-FormMagick-0.93/lib/CGI/FormMagick/Events.pm 2019-01-27 14:35:18.143816986 -0500`
			`@@ -83,8 +83,12 @@`
			`$self->debug_msg("Validation successful.");`

			`# Don't run any post event unless it's a POST request`
			`+ $self->debug_msg("Request method should be POST.") unless (($self->{cgi}->request_method \|\| '') eq 'POST') ;`
			`return unless (($self->{cgi}->request_method \|\| '') eq 'POST');`
			`- if ($self->{csrf} and ($self->{cgi}->param('csrf_token') \|\| '') ne $self->{cgi}->param('csrf_token_compare')){`
			`+ if ($self->{csrf} and ( ($self->{cgi}->param('csrf_token') \|\| '') ne $self->{cgi}->param('csrf_token_compare')`
			`+ or $self->{cgi}->param('csrf_timestamp') + 120 < time ) ) {`
			`+ # only 3 min to validate form`
			`+ $self->debug_msg("SRF protection blocked request");`
			`warn "CSRF protection blocked request\n";`
			`return $self->error($self->localise('CSRF_VALIDATION_FAILURE'));`
			`}`
			`@@ -142,8 +146,12 @@`
			`$self->debug_msg("This is the page post-event.");`

			`# Don't run any post event unless it's a POST request`
			`+ $self->debug_msg("Request method should be POST.") unless (($self->{cgi}->request_method \|\| '') eq 'POST') ;`
			`return unless (($self->{cgi}->request_method \|\| '') eq 'POST');`
			`- if ($self->{csrf} and ($self->{cgi}->param('csrf_token') \|\| '') ne $self->{cgi}->param('csrf_token_compare')){`
			`+ if ($self->{csrf} and ( ($self->{cgi}->param('csrf_token') \|\| '') ne $self->{cgi}->param('csrf_token_compare')`
			`+ or $self->{cgi}->param('csrf_timestamp') + 120 < time ) ) {`
			`+ # only 3 min to validate form`
			`+ $self->debug_msg("SRF protection blocked request");`
			`warn "CSRF protection blocked request\n";`
			`return $self->error($self->localise('CSRF_VALIDATION_FAILURE'));`
			`}`
			`--- perl-CGI-FormMagick-0.93.old/lib/CGI/FormMagick.pm 2019-01-27 13:17:40.000000000 -0500`
			`+++ perl-CGI-FormMagick-0.93/lib/CGI/FormMagick.pm 2019-01-27 14:32:14.186747779 -0500`
			`@@ -202,6 +202,7 @@`
			`# Create a CSRF token to compare later with. And store it in the session`
			`if ($self->{csrf} and not $self->{cgi}->param('csrf_token_compare')){`
			`$self->{cgi}->param(-name => 'csrf_token_compare', -value => Session::Token->new(entropy => 256)->get);`
			`+ $self->{cgi}->param(-name => 'csrf_timestamp', -value => time);`
			`$self->commit_session;`
			`}`