my $session=shift;
needsignin($q, $session);
-
decode_cgi_utf8($q);
+
+ # The session id is stored on the form and checked to
+ # guard against CSRF.
+ my $sid=$q->param('sid');
+ if (! defined $sid) {
+ $q->delete_all;
+ }
+ elsif ($sid ne $session->id) {
+ error(gettext("Your login session has expired."));
+ }
+
eval q{use CGI::FormBuilder};
error($@) if $@;
my $form = CGI::FormBuilder->new(
buttons => $buttons);
});
- $form->field(name => "do", type => "hidden");
+ $form->field(name => "do", type => "hidden", value => "prefs",
+ force => 1);
+ $form->field(name => "sid", type => "hidden", value => $session->id,
+ force => 1);
$form->field(name => "email", size => 50, fieldset => "preferences");
$form->field(name => "banned_users", size => 50,
fieldset => "admin");
sub cgi_editpage ($$) { #{{{
my $q=shift;
my $session=shift;
-
- my @fields=qw(do rcsinfo subpage from page type editcontent comments);
- my @buttons=("Save Page", "Preview", "Cancel");
decode_cgi_utf8($q);
+
+ my @fields=qw(do rcsinfo subpage from page type editcontent comments);
+ my @buttons=("Save Page", "Preview", "Cancel");
eval q{use CGI::FormBuilder};
error($@) if $@;
my $form = CGI::FormBuilder->new(
}
$form->field(name => "do", type => 'hidden');
+ $form->field(name => "sid", type => "hidden", value => $session->id,
+ force => 1);
$form->field(name => "from", type => 'hidden');
$form->field(name => "rcsinfo", type => 'hidden');
$form->field(name => "subpage", type => 'hidden');
else {
# save page
check_canedit($page, $q, $session);
+
+ # The session id is stored on the form and checked to
+ # guard against CSRF. But only if the user is logged in,
+ # as anonok can allow anonymous edits.
+ if (defined $session->param("name")) {
+ my $sid=$q->param('sid');
+ if (! defined $sid || $sid ne $session->id) {
+ error(gettext("Your login session has expired."));
+ }
+ }
my $exists=-e "$config{srcdir}/$file";
* aggregate: Correct a mistake in the code that dummy up a guid for feeds
lacking one.
* inline: Correct handling of urls relative to baseurl in feeds.
+ * Fix CSRF attacks against the preferences and edit forms. The fix involved
+ embedding the session id in the forms, and not allowing the forms to be
+ submitted if the embedded id does not match the session id. Closes: #475445
-- Joey Hess <joeyh@debian.org> Thu, 03 Apr 2008 02:35:39 -0400
## XSS holes in CGI output
-ikiwiki has not yet been audited to ensure that all cgi script input/output
+ikiwiki has been audited to ensure that all cgi script input/output
is sanitised to prevent XSS attacks. For example, a user can't register
with a username containing html code (anymore).
A fix was also backported to Debian etch, as version 1.33.4. I recommend
upgrading to one of these versions if your wiki can be edited by third
parties.
+
+## Cross Site Request Forging
+
+Cross Site Request Forging could be used to constuct a link that would
+change a logged-in user's password or other preferences if they clicked on
+the link. It could also be used to construct a link that would cause a wiki
+page to be modified by a logged-in user.
+
+These holes were discovered on 10 April 2008 and fixed the same day with
+the release of ikiwiki 2.42. A fix was also backported to Debian etch, as
+version 1.33.4. I recommend upgrading to one of these versions.
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2008-03-29 21:01-0400\n"
+"POT-Creation-Date: 2008-04-10 16:18-0400\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
msgid "login failed, perhaps you need to turn on cookies?"
msgstr ""
-#: ../IkiWiki/CGI.pm:184
+#: ../IkiWiki/CGI.pm:173 ../IkiWiki/CGI.pm:499
+msgid "Your login session has expired."
+msgstr ""
+
+#: ../IkiWiki/CGI.pm:194
msgid "Login"
msgstr ""
-#: ../IkiWiki/CGI.pm:185
+#: ../IkiWiki/CGI.pm:195
msgid "Preferences"
msgstr ""
-#: ../IkiWiki/CGI.pm:186
+#: ../IkiWiki/CGI.pm:196
msgid "Admin"
msgstr ""
-#: ../IkiWiki/CGI.pm:235
+#: ../IkiWiki/CGI.pm:248
msgid "Preferences saved."
msgstr ""
-#: ../IkiWiki/CGI.pm:293
+#: ../IkiWiki/CGI.pm:306
#, perl-format
msgid "%s is not an editable page"
msgstr ""
-#: ../IkiWiki/CGI.pm:395 ../IkiWiki/Plugin/brokenlinks.pm:24
+#: ../IkiWiki/CGI.pm:410 ../IkiWiki/Plugin/brokenlinks.pm:24
#: ../IkiWiki/Plugin/inline.pm:265 ../IkiWiki/Plugin/opendiscussion.pm:17
#: ../IkiWiki/Plugin/orphans.pm:28 ../IkiWiki/Render.pm:95
#: ../IkiWiki/Render.pm:172
msgid "discussion"
msgstr ""
-#: ../IkiWiki/CGI.pm:451
+#: ../IkiWiki/CGI.pm:466
#, perl-format
msgid "creating %s"
msgstr ""
-#: ../IkiWiki/CGI.pm:469 ../IkiWiki/CGI.pm:487 ../IkiWiki/CGI.pm:497
-#: ../IkiWiki/CGI.pm:531 ../IkiWiki/CGI.pm:576
+#: ../IkiWiki/CGI.pm:484 ../IkiWiki/CGI.pm:512 ../IkiWiki/CGI.pm:522
+#: ../IkiWiki/CGI.pm:556 ../IkiWiki/CGI.pm:601
#, perl-format
msgid "editing %s"
msgstr ""
-#: ../IkiWiki/CGI.pm:666
+#: ../IkiWiki/CGI.pm:691
msgid "You are banned."
msgstr ""
msgid "Discussion"
msgstr ""
-#: ../IkiWiki/Plugin/inline.pm:491
+#: ../IkiWiki/Plugin/inline.pm:500
msgid "RPC::XML::Client not found, not pinging"
msgstr ""
</TMPL_IF>
<TMPL_VAR FORM-START>
<TMPL_VAR FIELD-DO>
+<TMPL_VAR FIELD-SID>
<TMPL_VAR FIELD-FROM>
<TMPL_VAR FIELD-RCSINFO>
<TMPL_VAR FIELD-NEWFILE>
sipb-www / ikiwiki.git / commitdiff
