X-Git-Url: https://sipb.mit.edu/gitweb.cgi/ikiwiki.git/blobdiff_plain/bd55d276b3367e2c1792ea868d6e868cc26e2203..96b38807256362f4cf0738ab64d169210ac3aa11:/IkiWiki/CGI.pm?ds=sidebyside diff --git a/IkiWiki/CGI.pm b/IkiWiki/CGI.pm index 87cb9c3f3..781974c13 100644 --- a/IkiWiki/CGI.pm +++ b/IkiWiki/CGI.pm @@ -21,7 +21,7 @@ sub printheader ($) { #{{{ } #}}} -sub showform ($$$$) { #{{{ +sub showform ($$$$;@) { #{{{ my $form=shift; my $buttons=shift; my $session=shift; @@ -35,7 +35,7 @@ sub showform ($$$$) { #{{{ } printheader($session); - print misctemplate($form->title, $form->render(submit => $buttons)); + print misctemplate($form->title, $form->render(submit => $buttons), @_); } sub redirect ($$) { #{{{ @@ -161,8 +161,18 @@ sub cgi_prefs ($$) { #{{{ my $session=shift; needsignin($q, $session); - decode_cgi_utf8($q); + + # The session id is stored on the form and checked to + # guard against CSRF. + my $sid=$q->param('sid'); + if (! defined $sid) { + $q->delete_all; + } + elsif ($sid ne $session->id) { + error(gettext("Your login session has expired.")); + } + eval q{use CGI::FormBuilder}; error($@) if $@; my $form = CGI::FormBuilder->new( @@ -193,7 +203,10 @@ sub cgi_prefs ($$) { #{{{ buttons => $buttons); }); - $form->field(name => "do", type => "hidden"); + $form->field(name => "do", type => "hidden", value => "prefs", + force => 1); + $form->field(name => "sid", type => "hidden", value => $session->id, + force => 1); $form->field(name => "email", size => 50, fieldset => "preferences"); $form->field(name => "banned_users", size => 50, fieldset => "admin"); @@ -241,11 +254,11 @@ sub cgi_prefs ($$) { #{{{ sub cgi_editpage ($$) { #{{{ my $q=shift; my $session=shift; - - my @fields=qw(do rcsinfo subpage from page type editcontent comments); - my @buttons=("Save Page", "Preview", "Cancel"); decode_cgi_utf8($q); + + my @fields=qw(do rcsinfo subpage from page type editcontent comments); + my @buttons=("Save Page", "Preview", "Cancel"); eval q{use CGI::FormBuilder}; error($@) if $@; my $form = CGI::FormBuilder->new( @@ -276,6 +289,8 @@ sub cgi_editpage ($$) { #{{{ file_pruned($page, $config{srcdir}) || $page=~/^\//) { error("bad page name"); } + + my $baseurl=$config{url}."/".htmlpage($page); my $from; if (defined $form->field('from')) { @@ -314,6 +329,8 @@ sub cgi_editpage ($$) { #{{{ } $form->field(name => "do", type => 'hidden'); + $form->field(name => "sid", type => "hidden", value => $session->id, + force => 1); $form->field(name => "from", type => 'hidden'); $form->field(name => "rcsinfo", type => 'hidden'); $form->field(name => "subpage", type => 'hidden'); @@ -325,10 +342,9 @@ sub cgi_editpage ($$) { #{{{ $form->tmpl_param("can_commit", $config{rcs}); $form->tmpl_param("indexlink", indexlink()); $form->tmpl_param("helponformattinglink", - htmllink("", "", "ikiwiki/formatting", + htmllink($page, $page, "ikiwiki/formatting", noimageinline => 1, linktext => "FormattingHelp")); - $form->tmpl_param("baseurl", baseurl()); if ($form->submitted eq "Cancel") { if ($form->field("do") eq "create" && defined $from) { @@ -343,6 +359,12 @@ sub cgi_editpage ($$) { #{{{ return; } elsif ($form->submitted eq "Preview") { + my $new=not exists $pagesources{$page}; + if ($new) { + # temporarily record its type + $pagesources{$page}=$page.".".$type; + } + my $content=$form->field('editcontent'); run_hooks(editcontent => sub { $content=shift->( @@ -354,9 +376,13 @@ sub cgi_editpage ($$) { #{{{ }); $form->tmpl_param("page_preview", htmlize($page, $type, - linkify($page, "/", - preprocess($page, "/", - filter($page, "/", $content), 0, 1)))); + linkify($page, $page, + preprocess($page, $page, + filter($page, $page, $content), 0, 1)))); + + if ($new) { + delete $pagesources{$page}; + } # previewing may have created files on disk saveindex(); } @@ -458,23 +484,33 @@ sub cgi_editpage ($$) { #{{{ $form->title(sprintf(gettext("editing %s"), pagetitle($page))); } - showform($form, \@buttons, $session, $q); + showform($form, \@buttons, $session, $q, forcebaseurl => $baseurl); } else { # save page check_canedit($page, $q, $session); + + # The session id is stored on the form and checked to + # guard against CSRF. But only if the user is logged in, + # as anonok can allow anonymous edits. + if (defined $session->param("name")) { + my $sid=$q->param('sid'); + if (! defined $sid || $sid ne $session->id) { + error(gettext("Your login session has expired.")); + } + } my $exists=-e "$config{srcdir}/$file"; if ($form->field("do") ne "create" && ! $exists && - ! eval { srcfile($file) }) { + ! defined srcfile($file, 1)) { $form->tmpl_param("page_gone", 1); $form->field(name => "do", value => "create", force => 1); $form->tmpl_param("page_select", 0); $form->field(name => "page", type => 'hidden'); $form->field(name => "type", type => 'hidden'); $form->title(sprintf(gettext("editing %s"), $page)); - showform($form, \@buttons, $session, $q); + showform($form, \@buttons, $session, $q, forcebaseurl => $baseurl); return; } elsif ($form->field("do") eq "create" && $exists) { @@ -488,7 +524,7 @@ sub cgi_editpage ($$) { #{{{ value => readfile("$config{srcdir}/$file"). "\n\n\n".$form->field("editcontent"), force => 1); - showform($form, \@buttons, $session, $q); + showform($form, \@buttons, $session, $q, forcebaseurl => $baseurl); return; } @@ -518,7 +554,8 @@ sub cgi_editpage ($$) { #{{{ $form->field(name => "page", type => 'hidden'); $form->field(name => "type", type => 'hidden'); $form->title(sprintf(gettext("editing %s"), $page)); - showform($form, \@buttons, $session, $q); + showform($form, \@buttons, $session, $q, + forcebaseurl => $baseurl); return; } @@ -562,7 +599,8 @@ sub cgi_editpage ($$) { #{{{ $form->field(name => "page", type => 'hidden'); $form->field(name => "type", type => 'hidden'); $form->title(sprintf(gettext("editing %s"), $page)); - showform($form, \@buttons, $session, $q); + showform($form, \@buttons, $session, $q, + forcebaseurl => $baseurl); return; } else {