Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
| Comment: | Minor corrections to comments for login_verify_csrf_secret(). |
|---|---|
| Downloads: | Tarball | ZIP archive | SQL archive |
| Timelines: | family | ancestors | descendants | both | trunk |
| Files: | files | file ages | folders |
| SHA1: | 3c47e0c66a60c2cab6667e748540f0a2 |
| User & Date: | mistachkin 2016-01-31 21:03:02 |
Context
|
2016-02-01
| ||
| 20:35 | Add the 'insertCsrf' and 'verifyCsrf' commands to TH1. check-in: f8820eff user: mistachkin tags: trunk | |
| 04:38 | Test of latest feature branches, do not merge. Closed-Leaf check-in: 1a164e5f user: mistachkin tags: do-not-merge, feature-test | |
| 04:34 | Add --https and --nossl options to the 'server' command. Closed-Leaf check-in: 2bf596c9 user: mistachkin tags: serverHttps | |
| 04:11 | The 'g.zHttpsURL' variable should be populated even when the --baseurl option is used. check-in: c45195f1 user: mistachkin tags: httpsBaseUrl | |
| 03:56 | Having the 'setup' or 'admin' permission should imply having the 'delete' and 'private' permissions as well (i.e. since they can change their own permissions anyhow). Closed-Leaf check-in: 62f8ac1f user: mistachkin tags: adminPerms | |
|
2016-01-31
| ||
| 21:13 | Add the 'insertCsrf' and 'verifyCsrf' commands to TH1. Closed-Leaf check-in: 0357c169 user: mistachkin tags: th1AntiCsrf | |
| 21:03 | Minor corrections to comments for login_verify_csrf_secret(). check-in: 3c47e0c6 user: mistachkin tags: trunk | |
| 00:51 | Make sure to add the zlib library to LIBS even when configure is run without any arguments. check-in: eb0cf27a user: mistachkin tags: trunk | |
Changes
Changes to src/login.c.
1287 1288 1289 1290 1291 1292 1293 1294 1295 1296 1297 1298 1299 1300 1301 1302 |
void login_insert_csrf_secret(void){
@ <input type="hidden" name="csrf" value="%s(g.zCsrfToken)" />
}
/*
** Before using the results of a form, first call this routine to verify
** that this Anti-CSRF token is present and is valid. If the Anti-CSRF token
** is missing or is incorrect, that indicates a cross-site scripting attach
** so emits an error message and abort.
*/
void login_verify_csrf_secret(void){
if( g.okCsrf ) return;
if( fossil_strcmp(P("csrf"), g.zCsrfToken)==0 ){
g.okCsrf = 1;
return;
}
|
| | > |
1287 1288 1289 1290 1291 1292 1293 1294 1295 1296 1297 1298 1299 1300 1301 1302 1303 |
void login_insert_csrf_secret(void){
@ <input type="hidden" name="csrf" value="%s(g.zCsrfToken)" />
}
/*
** Before using the results of a form, first call this routine to verify
** that this Anti-CSRF token is present and is valid. If the Anti-CSRF token
** is missing or is incorrect, that indicates a cross-site scripting attack.
** If the event of an attack is detected, an error message is generated and
** all further processing is aborted.
*/
void login_verify_csrf_secret(void){
if( g.okCsrf ) return;
if( fossil_strcmp(P("csrf"), g.zCsrfToken)==0 ){
g.okCsrf = 1;
return;
}
|