Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
| Comment: | Add the 'insertCsrf' and 'verifyCsrf' commands to TH1. |
|---|---|
| Downloads: | Tarball | ZIP archive | SQL archive |
| Timelines: | family | ancestors | descendants | both | th1AntiCsrf |
| Files: | files | file ages | folders |
| SHA1: |
0357c1693064377a59b330925a24226a |
| User & Date: | mistachkin 2016-01-31 21:13:00.212 |
Context
|
2016-02-01
| ||
| 20:35 | Add the 'insertCsrf' and 'verifyCsrf' commands to TH1. ... (check-in: f8820eff user: mistachkin tags: trunk) | |
| 04:38 | Test of latest feature branches, do not merge. ... (Closed-Leaf check-in: 1a164e5f user: mistachkin tags: do-not-merge, feature-test) | |
|
2016-01-31
| ||
| 21:13 | Add the 'insertCsrf' and 'verifyCsrf' commands to TH1. ... (Closed-Leaf check-in: 0357c169 user: mistachkin tags: th1AntiCsrf) | |
| 21:03 | Minor corrections to comments for login_verify_csrf_secret(). ... (check-in: 3c47e0c6 user: mistachkin tags: trunk) | |
Changes
Changes to src/th_main.c.
| ︙ | ︙ | |||
449 450 451 452 453 454 455 456 457 458 459 460 461 462 |
if( argc!=2 ){
return Th_WrongNumArgs(interp, "redirect URL");
}
cgi_redirect(argv[1]);
Th_SetResult(interp, argv[1], argl[1]); /* NOT REACHED */
return TH_OK;
}
/*
** TH1 command: markdown STRING
**
** Renders the input string as markdown. The result is a two-element list.
** The first element is the text-only title string. The second element
** contains the body, rendered as HTML.
| > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > | 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 |
if( argc!=2 ){
return Th_WrongNumArgs(interp, "redirect URL");
}
cgi_redirect(argv[1]);
Th_SetResult(interp, argv[1], argl[1]); /* NOT REACHED */
return TH_OK;
}
/*
** TH1 command: insertCsrf
**
** While rendering a form, call this command to add the Anti-CSRF token
** as a hidden element of the form.
*/
static int insertCsrfCmd(
Th_Interp *interp,
void *p,
int argc,
const char **argv,
int *argl
){
if( argc!=1 ){
return Th_WrongNumArgs(interp, "insertCsrf");
}
login_insert_csrf_secret();
return TH_OK;
}
/*
** TH1 command: verifyCsrf
**
** Before using the results of a form, first call this command to verify
** that this Anti-CSRF token is present and is valid. If the Anti-CSRF token
** is missing or is incorrect, that indicates a cross-site scripting attack.
** If the event of an attack is detected, an error message is generated and
** all further processing is aborted.
*/
static int verifyCsrfCmd(
Th_Interp *interp,
void *p,
int argc,
const char **argv,
int *argl
){
if( argc!=1 ){
return Th_WrongNumArgs(interp, "verifyCsrf");
}
login_verify_csrf_secret();
return TH_OK;
}
/*
** TH1 command: markdown STRING
**
** Renders the input string as markdown. The result is a two-element list.
** The first element is the text-only title string. The second element
** contains the body, rendered as HTML.
|
| ︙ | ︙ | |||
1786 1787 1788 1789 1790 1791 1792 1793 1794 1795 1796 1797 1798 1799 1800 1801 1802 1803 1804 1805 1806 1807 1808 1809 1810 1811 1812 1813 1814 1815 1816 1817 1818 |
{"globalState", globalStateCmd, 0},
{"httpize", httpizeCmd, 0},
{"hascap", hascapCmd, (void*)&zeroInt},
{"hasfeature", hasfeatureCmd, 0},
{"html", putsCmd, (void*)&aFlags[0]},
{"htmlize", htmlizeCmd, 0},
{"http", httpCmd, 0},
{"linecount", linecntCmd, 0},
{"markdown", markdownCmd, 0},
{"puts", putsCmd, (void*)&aFlags[1]},
{"query", queryCmd, 0},
{"randhex", randhexCmd, 0},
{"redirect", redirectCmd, 0},
{"regexp", regexpCmd, 0},
{"reinitialize", reinitializeCmd, 0},
{"render", renderCmd, 0},
{"repository", repositoryCmd, 0},
{"searchable", searchableCmd, 0},
{"setParameter", setParameterCmd, 0},
{"setting", settingCmd, 0},
{"styleHeader", styleHeaderCmd, 0},
{"styleFooter", styleFooterCmd, 0},
{"tclReady", tclReadyCmd, 0},
{"trace", traceCmd, 0},
{"stime", stimeCmd, 0},
{"utime", utimeCmd, 0},
{"wiki", wikiCmd, (void*)&aFlags[0]},
{0, 0, 0}
};
if( g.thTrace ){
Th_Trace("th1-init 0x%x => 0x%x<br />\n", g.th1Flags, flags);
}
if( needConfig ){
| > > | 1829 1830 1831 1832 1833 1834 1835 1836 1837 1838 1839 1840 1841 1842 1843 1844 1845 1846 1847 1848 1849 1850 1851 1852 1853 1854 1855 1856 1857 1858 1859 1860 1861 1862 1863 |
{"globalState", globalStateCmd, 0},
{"httpize", httpizeCmd, 0},
{"hascap", hascapCmd, (void*)&zeroInt},
{"hasfeature", hasfeatureCmd, 0},
{"html", putsCmd, (void*)&aFlags[0]},
{"htmlize", htmlizeCmd, 0},
{"http", httpCmd, 0},
{"insertCsrf", insertCsrfCmd, 0},
{"linecount", linecntCmd, 0},
{"markdown", markdownCmd, 0},
{"puts", putsCmd, (void*)&aFlags[1]},
{"query", queryCmd, 0},
{"randhex", randhexCmd, 0},
{"redirect", redirectCmd, 0},
{"regexp", regexpCmd, 0},
{"reinitialize", reinitializeCmd, 0},
{"render", renderCmd, 0},
{"repository", repositoryCmd, 0},
{"searchable", searchableCmd, 0},
{"setParameter", setParameterCmd, 0},
{"setting", settingCmd, 0},
{"styleHeader", styleHeaderCmd, 0},
{"styleFooter", styleFooterCmd, 0},
{"tclReady", tclReadyCmd, 0},
{"trace", traceCmd, 0},
{"stime", stimeCmd, 0},
{"utime", utimeCmd, 0},
{"verifyCsrf", verifyCsrfCmd, 0},
{"wiki", wikiCmd, (void*)&aFlags[0]},
{0, 0, 0}
};
if( g.thTrace ){
Th_Trace("th1-init 0x%x => 0x%x<br />\n", g.th1Flags, flags);
}
if( needConfig ){
|
| ︙ | ︙ |
Changes to www/th1.md.
| ︙ | ︙ | |||
148 149 150 151 152 153 154 155 156 157 158 159 160 161 | * globalState * hascap * hasfeature * html * htmlize * http * httpize * linecount * markdown * puts * query * randhex * redirect * regexp | > | 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 | * globalState * hascap * hasfeature * html * htmlize * http * httpize * insertCsrf * linecount * markdown * puts * query * randhex * redirect * regexp |
| ︙ | ︙ | |||
172 173 174 175 176 177 178 179 180 181 182 183 184 185 | * tclInvoke * tclIsSafe * tclMakeSafe * tclReady * trace * stime * utime * wiki Each of the commands above is documented by a block comment above their implementation in the th\_main.c or th\_tcl.c source files. All commands starting with "tcl", with the exception of "tclReady", require the Tcl integration subsystem be included at compile-time. | > | 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 | * tclInvoke * tclIsSafe * tclMakeSafe * tclReady * trace * stime * utime * verifyCsrf * wiki Each of the commands above is documented by a block comment above their implementation in the th\_main.c or th\_tcl.c source files. All commands starting with "tcl", with the exception of "tclReady", require the Tcl integration subsystem be included at compile-time. |
| ︙ | ︙ | |||
377 378 379 380 381 382 383 384 385 386 387 388 389 390 | <a name="httpize"></a>TH1 httpize Command ----------------------------------------- * httpize STRING Escape all characters of STRING which have special meaning in URI components. Returns the escaped string. <a name="linecount"></a>TH1 linecount Command --------------------------------------------- * linecount STRING MAX MIN Returns one more than the number of \n characters in STRING. But | > > > > > > > > | 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 | <a name="httpize"></a>TH1 httpize Command ----------------------------------------- * httpize STRING Escape all characters of STRING which have special meaning in URI components. Returns the escaped string. <a name="insertCsrf"></a>TH1 insertCsrf Command ----------------------------------------------- * insertCsrf While rendering a form, call this command to add the Anti-CSRF token as a hidden element of the form. <a name="linecount"></a>TH1 linecount Command --------------------------------------------- * linecount STRING MAX MIN Returns one more than the number of \n characters in STRING. But |
| ︙ | ︙ | |||
605 606 607 608 609 610 611 612 613 614 615 616 617 618 | <a name="utime"></a>TH1 utime Command ------------------------------------- * utime Returns the number of microseconds of CPU time consumed by the current process in user space. <a name="wiki"></a>TH1 wiki Command ----------------------------------- * wiki STRING Renders STRING as wiki content. | > > > > > > > > > > > | 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 | <a name="utime"></a>TH1 utime Command ------------------------------------- * utime Returns the number of microseconds of CPU time consumed by the current process in user space. <a name="verifyCsrf"></a>TH1 verifyCsrf Command ----------------------------------------------- * verifyCsrf Before using the results of a form, first call this command to verify that this Anti-CSRF token is present and is valid. If the Anti-CSRF token is missing or is incorrect, that indicates a cross-site scripting attack. If the event of an attack is detected, an error message is generated and all further processing is aborted. <a name="wiki"></a>TH1 wiki Command ----------------------------------- * wiki STRING Renders STRING as wiki content. |
| ︙ | ︙ |