From 985b229be632126f376aaad7bd354d0d7d014464 Mon Sep 17 00:00:00 2001
From: Joey Hess <joey@gnu.kitenet.net>
Date: Wed, 17 Dec 2008 14:26:08 -0500
Subject: [PATCH] checksessionexpiry: rework

This function as factored out was a bit confusing, I think this makes more
sense.
---
 IkiWiki/CGI.pm             | 14 ++++++++------
 IkiWiki/Plugin/comments.pm |  2 +-
 IkiWiki/Plugin/editpage.pm |  2 +-
 3 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/IkiWiki/CGI.pm b/IkiWiki/CGI.pm
index a3486cbb4..a45e12e31 100644
--- a/IkiWiki/CGI.pm
+++ b/IkiWiki/CGI.pm
@@ -36,7 +36,7 @@ sub showform ($$$$;@) { #{{{
 
 	printheader($session);
 	print misctemplate($form->title, $form->render(submit => $buttons), @_);
-}
+} #}}}
 
 sub redirect ($$) { #{{{
 	my $q=shift;
@@ -273,7 +273,7 @@ sub check_banned ($$) { #{{{
 			exit;
 		}
 	}
-}
+} #}}}
 
 sub cgi_getsession ($) { #{{{
 	my $q=shift;
@@ -296,14 +296,16 @@ sub cgi_getsession ($) { #{{{
 	return $session;
 } #}}}
 
-# The session id is stored on the form and checked to
-# guard against CSRF. But only if the user is logged in,
-# as anonok can allow anonymous edits.
+# To guard against CSRF, the user's session id (sid)
+# can be stored on a form. This function will check
+# (for logged in users) that the sid on the form matches
+# the session id in the cookie.
 sub checksessionexpiry ($$) { # {{{
+	my $q=shift;
 	my $session = shift;
-	my $sid = shift;
 
 	if (defined $session->param("name")) {
+		my $sid=$q->param('sid');
 		if (! defined $sid || $sid ne $session->id) {
 			error(gettext("Your login session has expired."));
 		}
diff --git a/IkiWiki/Plugin/comments.pm b/IkiWiki/Plugin/comments.pm
index 1eb256da9..b8748a1d6 100644
--- a/IkiWiki/Plugin/comments.pm
+++ b/IkiWiki/Plugin/comments.pm
@@ -468,7 +468,7 @@ sub sessioncgi ($$) { #{{{
 	if ($form->submitted eq POST_COMMENT && $form->validate) {
 		my $file = "$location._comment";
 
-		IkiWiki::checksessionexpiry($session, $cgi->param('sid'));
+		IkiWiki::checksessionexpiry($cgi, $session);
 
 		# FIXME: could probably do some sort of graceful retry
 		# on error? Would require significant unwinding though
diff --git a/IkiWiki/Plugin/editpage.pm b/IkiWiki/Plugin/editpage.pm
index e4f0cdac0..242624d77 100644
--- a/IkiWiki/Plugin/editpage.pm
+++ b/IkiWiki/Plugin/editpage.pm
@@ -340,7 +340,7 @@ sub cgi_editpage ($$) { #{{{
 	else {
 		# save page
 		check_canedit($page, $q, $session);
-		checksessionexpiry($session, $q->param('sid'));
+		checksessionexpiry($q, $session, $q->param('sid'));
 
 		my $exists=-e "$config{srcdir}/$file";
 
-- 
2.44.0