X-Git-Url: https://sipb.mit.edu/gitweb.cgi/ikiwiki.git/blobdiff_plain/f7bdc2385d3ec8060f00d5ceb3b45f3cc4760e38..96b38807256362f4cf0738ab64d169210ac3aa11:/IkiWiki/CGI.pm

diff --git a/IkiWiki/CGI.pm b/IkiWiki/CGI.pm
index 042e168aa..781974c13 100644
--- a/IkiWiki/CGI.pm
+++ b/IkiWiki/CGI.pm
@@ -161,8 +161,18 @@ sub cgi_prefs ($$) { #{{{
 	my $session=shift;
 
 	needsignin($q, $session);
-
 	decode_cgi_utf8($q);
+	
+	# The session id is stored on the form and checked to
+	# guard against CSRF.
+	my $sid=$q->param('sid');
+	if (! defined $sid) {
+		$q->delete_all;
+	}
+	elsif ($sid ne $session->id) {
+		error(gettext("Your login session has expired."));
+	}
+
 	eval q{use CGI::FormBuilder};
 	error($@) if $@;
 	my $form = CGI::FormBuilder->new(
@@ -193,7 +203,10 @@ sub cgi_prefs ($$) { #{{{
 		        buttons => $buttons);
 	});
 	
-	$form->field(name => "do", type => "hidden");
+	$form->field(name => "do", type => "hidden", value => "prefs",
+		force => 1);
+	$form->field(name => "sid", type => "hidden", value => $session->id,
+		force => 1);
 	$form->field(name => "email", size => 50, fieldset => "preferences");
 	$form->field(name => "banned_users", size => 50,
 		fieldset => "admin");
@@ -241,11 +254,11 @@ sub cgi_prefs ($$) { #{{{
 sub cgi_editpage ($$) { #{{{
 	my $q=shift;
 	my $session=shift;
-
-	my @fields=qw(do rcsinfo subpage from page type editcontent comments);
-	my @buttons=("Save Page", "Preview", "Cancel");
 	
 	decode_cgi_utf8($q);
+	
+	my @fields=qw(do rcsinfo subpage from page type editcontent comments);
+	my @buttons=("Save Page", "Preview", "Cancel");
 	eval q{use CGI::FormBuilder};
 	error($@) if $@;
 	my $form = CGI::FormBuilder->new(
@@ -316,6 +329,8 @@ sub cgi_editpage ($$) { #{{{
 	}
 
 	$form->field(name => "do", type => 'hidden');
+	$form->field(name => "sid", type => "hidden", value => $session->id,
+		force => 1);
 	$form->field(name => "from", type => 'hidden');
 	$form->field(name => "rcsinfo", type => 'hidden');
 	$form->field(name => "subpage", type => 'hidden');
@@ -344,6 +359,12 @@ sub cgi_editpage ($$) { #{{{
 		return;
 	}
 	elsif ($form->submitted eq "Preview") {
+		my $new=not exists $pagesources{$page};
+		if ($new) {
+			# temporarily record its type
+			$pagesources{$page}=$page.".".$type;
+		}
+
 		my $content=$form->field('editcontent');
 		run_hooks(editcontent => sub {
 			$content=shift->(
@@ -358,6 +379,10 @@ sub cgi_editpage ($$) { #{{{
 			linkify($page, $page,
 			preprocess($page, $page,
 			filter($page, $page, $content), 0, 1))));
+		
+		if ($new) {
+			delete $pagesources{$page};
+		}
 		# previewing may have created files on disk
 		saveindex();
 	}
@@ -464,11 +489,21 @@ sub cgi_editpage ($$) { #{{{
 	else {
 		# save page
 		check_canedit($page, $q, $session);
+	
+		# The session id is stored on the form and checked to
+		# guard against CSRF. But only if the user is logged in,
+		# as anonok can allow anonymous edits.
+		if (defined $session->param("name")) {
+			my $sid=$q->param('sid');
+			if (! defined $sid || $sid ne $session->id) {
+				error(gettext("Your login session has expired."));
+			}
+		}
 
 		my $exists=-e "$config{srcdir}/$file";
 
 		if ($form->field("do") ne "create" && ! $exists &&
-		    ! eval { srcfile($file) }) {
+		    ! defined srcfile($file, 1)) {
 			$form->tmpl_param("page_gone", 1);
 			$form->field(name => "do", value => "create", force => 1);
 			$form->tmpl_param("page_select", 0);