Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
| Comment: | New uses for cgi_csrf_safe(). |
|---|---|
| Downloads: | Tarball | ZIP archive |
| Timelines: | family | ancestors | descendants | both | trunk |
| Files: | files | file ages | folders |
| SHA3-256: |
c9efdfcaf4b91d0de9cd2c7c717e1efb |
| User & Date: | drh 2018-02-12 12:47:03.990 |
Context
|
2018-02-12
| ||
| 12:55 | Fix incorrect setting name in the "fts-config" command. ... (check-in: ceba4881 user: drh tags: trunk) | |
| 12:47 | New uses for cgi_csrf_safe(). ... (check-in: c9efdfca user: drh tags: trunk) | |
|
2018-02-10
| ||
| 16:24 | Add the cgi_csrf_safe() routine as a supplimental defense against cross-site request forgery attacks. ... (check-in: 047802a3 user: drh tags: trunk) | |
Changes
Changes to src/info.c.
| ︙ | ︙ | |||
2616 2617 2618 2619 2620 2621 2622 |
zNewColorFlag = P("newclr") ? " checked" : "";
zNewTagFlag = P("newtag") ? " checked" : "";
zNewTag = PDT("tagname","");
zNewBrFlag = P("newbr") ? " checked" : "";
zNewBranch = PDT("brname","");
zCloseFlag = P("close") ? " checked" : "";
zHideFlag = P("hide") ? " checked" : "";
| | | 2616 2617 2618 2619 2620 2621 2622 2623 2624 2625 2626 2627 2628 2629 2630 |
zNewColorFlag = P("newclr") ? " checked" : "";
zNewTagFlag = P("newtag") ? " checked" : "";
zNewTag = PDT("tagname","");
zNewBrFlag = P("newbr") ? " checked" : "";
zNewBranch = PDT("brname","");
zCloseFlag = P("close") ? " checked" : "";
zHideFlag = P("hide") ? " checked" : "";
if( P("apply") && cgi_csrf_safe(1) ){
Blob ctrl;
char *zNow;
login_verify_csrf_secret();
blob_zero(&ctrl);
zNow = date_in_standard_format(zChngTime ? zChngTime : "now");
blob_appendf(&ctrl, "D %s\n", zNow);
|
| ︙ | ︙ |
Changes to src/skins.c.
| ︙ | ︙ | |||
465 466 467 468 469 470 471 |
}
db_begin_transaction();
zCurrent = getSkin(0);
for(i=0; i<count(aBuiltinSkin); i++){
aBuiltinSkin[i].zSQL = getSkin(aBuiltinSkin[i].zLabel);
}
| > | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | > | 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 |
}
db_begin_transaction();
zCurrent = getSkin(0);
for(i=0; i<count(aBuiltinSkin); i++){
aBuiltinSkin[i].zSQL = getSkin(aBuiltinSkin[i].zLabel);
}
if( cgi_csrf_safe(1) ){
/* Process requests to delete a user-defined skin */
if( P("del1") && (zName = skinVarName(P("sn"), 1))!=0 ){
style_header("Confirm Custom Skin Delete");
@ <form action="%s(g.zTop)/setup_skin_admin" method="post"><div>
@ <p>Deletion of a custom skin is a permanent action that cannot
@ be undone. Please confirm that this is what you want to do:</p>
@ <input type="hidden" name="sn" value="%h(P("sn"))" />
@ <input type="submit" name="del2" value="Confirm - Delete The Skin" />
@ <input type="submit" name="cancel" value="Cancel - Do Not Delete" />
login_insert_csrf_secret();
@ </div></form>
style_footer();
return;
}
if( P("del2")!=0 && (zName = skinVarName(P("sn"), 1))!=0 ){
db_multi_exec("DELETE FROM config WHERE name=%Q", zName);
}
if( P("draftdel")!=0 ){
const char *zDraft = P("name");
if( sqlite3_strglob("draft[1-9]",zDraft)==0 ){
db_multi_exec("DELETE FROM config WHERE name GLOB '%q-*'", zDraft);
}
}
if( skinRename() ) return;
if( skinSave(zCurrent) ) return;
/* The user pressed one of the "Install" buttons. */
if( P("load") && (z = P("sn"))!=0 && z[0] ){
int seen = 0;
/* Check to see if the current skin is already saved. If it is, there
** is no need to create a backup */
zCurrent = getSkin(0);
for(i=0; i<count(aBuiltinSkin); i++){
if( fossil_strcmp(aBuiltinSkin[i].zSQL, zCurrent)==0 ){
seen = 1;
break;
}
}
if( !seen ){
seen = db_exists("SELECT 1 FROM config WHERE name GLOB 'skin:*'"
" AND value=%Q", zCurrent);
if( !seen ){
db_multi_exec(
"INSERT INTO config(name,value,mtime) VALUES("
" strftime('skin:Backup On %%Y-%%m-%%d %%H:%%M:%%S'),"
" %Q,now())", zCurrent
);
}
}
seen = 0;
for(i=0; i<count(aBuiltinSkin); i++){
if( fossil_strcmp(aBuiltinSkin[i].zDesc, z)==0 ){
seen = 1;
zCurrent = aBuiltinSkin[i].zSQL;
db_multi_exec("%s", zCurrent/*safe-for-%s*/);
break;
}
}
if( !seen ){
zName = skinVarName(z,0);
zCurrent = db_get(zName, 0);
db_multi_exec("%s", zCurrent/*safe-for-%s*/);
}
}
}
style_header("Skins");
if( zErr ){
@ <p style="color:red">%h(zErr)</p>
}
@ <table border="0">
@ <tr><td colspan=4><h2>Built-in Skins:</h2></td></th>
for(i=0; i<count(aBuiltinSkin); i++){
|
| ︙ | ︙ |