Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
Comment: | Minor corrections to comments for login_verify_csrf_secret(). |
---|---|
Downloads: | Tarball | ZIP archive |
Timelines: | family | ancestors | descendants | both | trunk |
Files: | files | file ages | folders |
SHA1: |
3c47e0c66a60c2cab6667e748540f0a2 |
User & Date: | mistachkin 2016-01-31 21:03:02.107 |
Context
2016-02-01
| ||
20:35 | Add the 'insertCsrf' and 'verifyCsrf' commands to TH1. ... (check-in: f8820eff user: mistachkin tags: trunk) | |
04:38 | Test of latest feature branches, do not merge. ... (Closed-Leaf check-in: 1a164e5f user: mistachkin tags: do-not-merge, feature-test) | |
04:34 | Add --https and --nossl options to the 'server' command. ... (Closed-Leaf check-in: 2bf596c9 user: mistachkin tags: serverHttps) | |
04:11 | The 'g.zHttpsURL' variable should be populated even when the --baseurl option is used. ... (check-in: c45195f1 user: mistachkin tags: httpsBaseUrl) | |
03:56 | Having the 'setup' or 'admin' permission should imply having the 'delete' and 'private' permissions as well (i.e. since they can change their own permissions anyhow). ... (Closed-Leaf check-in: 62f8ac1f user: mistachkin tags: adminPerms) | |
2016-01-31
| ||
21:13 | Add the 'insertCsrf' and 'verifyCsrf' commands to TH1. ... (Closed-Leaf check-in: 0357c169 user: mistachkin tags: th1AntiCsrf) | |
21:03 | Minor corrections to comments for login_verify_csrf_secret(). ... (check-in: 3c47e0c6 user: mistachkin tags: trunk) | |
00:51 | Make sure to add the zlib library to LIBS even when configure is run without any arguments. ... (check-in: eb0cf27a user: mistachkin tags: trunk) | |
Changes
Changes to src/login.c.
︙ | ︙ | |||
1287 1288 1289 1290 1291 1292 1293 | void login_insert_csrf_secret(void){ @ <input type="hidden" name="csrf" value="%s(g.zCsrfToken)" /> } /* ** Before using the results of a form, first call this routine to verify ** that this Anti-CSRF token is present and is valid. If the Anti-CSRF token | | | > | 1287 1288 1289 1290 1291 1292 1293 1294 1295 1296 1297 1298 1299 1300 1301 1302 1303 | void login_insert_csrf_secret(void){ @ <input type="hidden" name="csrf" value="%s(g.zCsrfToken)" /> } /* ** Before using the results of a form, first call this routine to verify ** that this Anti-CSRF token is present and is valid. If the Anti-CSRF token ** is missing or is incorrect, that indicates a cross-site scripting attack. ** If the event of an attack is detected, an error message is generated and ** all further processing is aborted. */ void login_verify_csrf_secret(void){ if( g.okCsrf ) return; if( fossil_strcmp(P("csrf"), g.zCsrfToken)==0 ){ g.okCsrf = 1; return; } |
︙ | ︙ |