Fossil

Check-in [3c47e0c6]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Minor corrections to comments for login_verify_csrf_secret().
Downloads: Tarball | ZIP archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA1: 3c47e0c66a60c2cab6667e748540f0a2a2a1c32e
User & Date: mistachkin 2016-01-31 21:03:02.107
Context
2016-02-01
20:35
Add the 'insertCsrf' and 'verifyCsrf' commands to TH1. ... (check-in: f8820eff user: mistachkin tags: trunk)
04:38
Test of latest feature branches, do not merge. ... (Closed-Leaf check-in: 1a164e5f user: mistachkin tags: do-not-merge, feature-test)
04:34
Add --https and --nossl options to the 'server' command. ... (Closed-Leaf check-in: 2bf596c9 user: mistachkin tags: serverHttps)
04:11
The 'g.zHttpsURL' variable should be populated even when the --baseurl option is used. ... (check-in: c45195f1 user: mistachkin tags: httpsBaseUrl)
03:56
Having the 'setup' or 'admin' permission should imply having the 'delete' and 'private' permissions as well (i.e. since they can change their own permissions anyhow). ... (Closed-Leaf check-in: 62f8ac1f user: mistachkin tags: adminPerms)
2016-01-31
21:13
Add the 'insertCsrf' and 'verifyCsrf' commands to TH1. ... (Closed-Leaf check-in: 0357c169 user: mistachkin tags: th1AntiCsrf)
21:03
Minor corrections to comments for login_verify_csrf_secret(). ... (check-in: 3c47e0c6 user: mistachkin tags: trunk)
00:51
Make sure to add the zlib library to LIBS even when configure is run without any arguments. ... (check-in: eb0cf27a user: mistachkin tags: trunk)
Changes
Unified Diff Ignore Whitespace Patch
Changes to src/login.c.
1287
1288
1289
1290
1291
1292
1293
1294
1295

1296
1297
1298
1299
1300
1301
1302
void login_insert_csrf_secret(void){
  @ <input type="hidden" name="csrf" value="%s(g.zCsrfToken)" />
}

/*
** Before using the results of a form, first call this routine to verify
** that this Anti-CSRF token is present and is valid.  If the Anti-CSRF token
** is missing or is incorrect, that indicates a cross-site scripting attach
** so emits an error message and abort.

*/
void login_verify_csrf_secret(void){
  if( g.okCsrf ) return;
  if( fossil_strcmp(P("csrf"), g.zCsrfToken)==0 ){
    g.okCsrf = 1;
    return;
  }







|
|
>







1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
void login_insert_csrf_secret(void){
  @ <input type="hidden" name="csrf" value="%s(g.zCsrfToken)" />
}

/*
** Before using the results of a form, first call this routine to verify
** that this Anti-CSRF token is present and is valid.  If the Anti-CSRF token
** is missing or is incorrect, that indicates a cross-site scripting attack.
** If the event of an attack is detected, an error message is generated and
** all further processing is aborted.
*/
void login_verify_csrf_secret(void){
  if( g.okCsrf ) return;
  if( fossil_strcmp(P("csrf"), g.zCsrfToken)==0 ){
    g.okCsrf = 1;
    return;
  }