Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
| Comment: | Add the cgi_csrf_safe() routine as a supplimental defense against cross-site request forgery attacks. |
|---|---|
| Downloads: | Tarball | ZIP archive |
| Timelines: | family | ancestors | descendants | both | trunk |
| Files: | files | file ages | folders |
| SHA3-256: |
047802a3c3c55037bb0b897fcbc47100 |
| User & Date: | drh 2018-02-10 16:24:09.484 |
Context
|
2018-02-12
| ||
| 12:47 | New uses for cgi_csrf_safe(). ... (check-in: c9efdfcaf4 user: drh tags: trunk) | |
| 08:50 | Merged trunk ... (check-in: 270d2fb95c user: mjanssen tags: commonmark-markdown) | |
|
2018-02-10
| ||
| 16:24 | Add the cgi_csrf_safe() routine as a supplimental defense against cross-site request forgery attacks. ... (check-in: 047802a3c3 user: drh tags: trunk) | |
| 15:38 | Fix the display of technotes on the main timeline so that their background color shows again. ... (check-in: 694e11a72e user: drh tags: trunk) | |
Changes
Changes to src/cgi.c.
| ︙ | ︙ | |||
454 455 456 457 458 459 460 461 462 463 464 465 466 467 |
const char *zRef = P("referer");
if( zRef==0 ){
zRef = P("HTTP_REFERER");
if( zRef==0 ) zRef = zDefault;
}
return zRef;
}
/*
** Information about all query parameters and cookies are stored
** in these variables.
*/
static int nAllocQP = 0; /* Space allocated for aParamQP[] */
static int nUsedQP = 0; /* Space actually used in aParamQP[] */
| > > > > > > > > > > > > > > > > > > > > > > > | 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 |
const char *zRef = P("referer");
if( zRef==0 ){
zRef = P("HTTP_REFERER");
if( zRef==0 ) zRef = zDefault;
}
return zRef;
}
/*
** Return true if the current request appears to be safe from a
** Cross-Site Request Forgery (CSRF) attack. Conditions that must
** be met:
**
** * The HTTP_REFERER must have the same origin
** * The REQUEST_METHOD must be POST - or requirePost==0
*/
int cgi_csrf_safe(int requirePost){
const char *zRef = P("HTTP_REFERER");
int nBase;
if( zRef==0 ) return 0;
if( requirePost ){
const char *zMethod = P("REQUEST_METHOD");
if( zMethod==0 ) return 0;
if( strcmp(zMethod,"POST")!=0 ) return 0;
}
nBase = (int)strlen(g.zBaseURL);
if( strncmp(g.zBaseURL,zRef,nBase)!=0 ) return 0;
if( zRef[nBase]!=0 && zRef[nBase]!='/' ) return 0;
return 1;
}
/*
** Information about all query parameters and cookies are stored
** in these variables.
*/
static int nAllocQP = 0; /* Space allocated for aParamQP[] */
static int nUsedQP = 0; /* Space actually used in aParamQP[] */
|
| ︙ | ︙ |
Changes to src/setup.c.
| ︙ | ︙ | |||
448 449 450 451 452 453 454 |
return;
}
/* If we have all the necessary information, write the new or
** modified user record. After writing the user record, redirect
** to the page that displays a list of users.
*/
| | | 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 |
return;
}
/* If we have all the necessary information, write the new or
** modified user record. After writing the user record, redirect
** to the page that displays a list of users.
*/
doWrite = cgi_all("login","info","pw") && !higherUser && cgi_csrf_safe(1);
if( doWrite ){
char c;
char zCap[50], zNm[4];
zNm[0] = 'a';
zNm[2] = 0;
for(i=0, c='a'; c<='z'; c++){
zNm[1] = c;
|
| ︙ | ︙ | |||
1714 1715 1716 1717 1718 1719 1720 |
void setup_adunit(void){
login_check_credentials();
if( !g.perm.Setup ){
login_needed(0);
return;
}
db_begin_transaction();
| | | 1714 1715 1716 1717 1718 1719 1720 1721 1722 1723 1724 1725 1726 1727 1728 |
void setup_adunit(void){
login_check_credentials();
if( !g.perm.Setup ){
login_needed(0);
return;
}
db_begin_transaction();
if( P("clear")!=0 && cgi_csrf_safe(1) ){
db_multi_exec("DELETE FROM config WHERE name GLOB 'adunit*'");
cgi_replace_parameter("adunit","");
}
style_header("Edit Ad Unit");
@ <form action="%s(g.zTop)/setup_adunit" method="post"><div>
login_insert_csrf_secret();
|
| ︙ | ︙ | |||
1803 1804 1805 1806 1807 1808 1809 |
}
login_check_credentials();
if( !g.perm.Setup ){
login_needed(0);
return;
}
db_begin_transaction();
| > > | | 1803 1804 1805 1806 1807 1808 1809 1810 1811 1812 1813 1814 1815 1816 1817 1818 1819 |
}
login_check_credentials();
if( !g.perm.Setup ){
login_needed(0);
return;
}
db_begin_transaction();
if( !cgi_csrf_safe(1) ){
/* Allow no state changes if not safe from CSRF */
}else if( P("setlogo")!=0 && zLogoMime && zLogoMime[0] && szLogoImg>0 ){
Blob img;
Stmt ins;
blob_init(&img, aLogoImg, szLogoImg);
db_prepare(&ins,
"REPLACE INTO config(name,value,mtime)"
" VALUES('logo-image',:bytes,now())"
);
|
| ︙ | ︙ | |||
1938 1939 1940 1941 1942 1943 1944 |
/*
** WEBPAGE: admin_sql
**
** Run raw SQL commands against the database file using the web interface.
** Requires Admin privileges.
*/
void sql_page(void){
| | > | 1940 1941 1942 1943 1944 1945 1946 1947 1948 1949 1950 1951 1952 1953 1954 1955 1956 1957 1958 1959 1960 1961 1962 1963 |
/*
** WEBPAGE: admin_sql
**
** Run raw SQL commands against the database file using the web interface.
** Requires Admin privileges.
*/
void sql_page(void){
const char *zQ;
int go = P("go")!=0;
login_check_credentials();
if( !g.perm.Setup ){
login_needed(0);
return;
}
add_content_sql_commands(g.db);
db_begin_transaction();
zQ = cgi_csrf_safe(1) ? P("q") : 0;
style_header("Raw SQL Commands");
@ <p><b>Caution:</b> There are no restrictions on the SQL that can be
@ run by this page. You can do serious and irrepairable damage to the
@ repository. Proceed with extreme caution.</p>
@
#if 0
@ <p>Only the first statement in the entry box will be run.
|
| ︙ | ︙ | |||
2268 2269 2270 2271 2272 2273 2274 2275 2276 2277 2278 2279 2280 2281 |
*/
static void setup_update_url_alias(
Blob *pSql,
const char *zOldName,
const char *zNewName,
const char *zValue
){
if( zNewName[0]==0 || zValue[0]==0 ){
if( zOldName[0] ){
blob_append_sql(pSql,
"DELETE FROM config WHERE name='walias:%q';\n",
zOldName);
}
return;
| > | 2271 2272 2273 2274 2275 2276 2277 2278 2279 2280 2281 2282 2283 2284 2285 |
*/
static void setup_update_url_alias(
Blob *pSql,
const char *zOldName,
const char *zNewName,
const char *zValue
){
if( !cgi_csrf_safe(1) ) return;
if( zNewName[0]==0 || zValue[0]==0 ){
if( zOldName[0] ){
blob_append_sql(pSql,
"DELETE FROM config WHERE name='walias:%q';\n",
zOldName);
}
return;
|
| ︙ | ︙ |
Changes to src/style.c.
| ︙ | ︙ | |||
923 924 925 926 927 928 929 930 931 932 933 934 935 936 |
}
zCap[i] = 0;
if( i>0 ){
@ anonymous-adds = %s(zCap)<br />
}
@ g.zRepositoryName = %h(g.zRepositoryName)<br />
@ load_average() = %f(load_average())<br />
@ <hr />
P("HTTP_USER_AGENT");
cgi_print_all(showAll);
if( showAll && blob_size(&g.httpHeader)>0 ){
@ <hr />
@ <pre>
@ %h(blob_str(&g.httpHeader))
| > | 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 |
}
zCap[i] = 0;
if( i>0 ){
@ anonymous-adds = %s(zCap)<br />
}
@ g.zRepositoryName = %h(g.zRepositoryName)<br />
@ load_average() = %f(load_average())<br />
@ cgi_csrf_safe(0) = %d(cgi_csrf_safe(0))<br />
@ <hr />
P("HTTP_USER_AGENT");
cgi_print_all(showAll);
if( showAll && blob_size(&g.httpHeader)>0 ){
@ <hr />
@ <pre>
@ %h(blob_str(&g.httpHeader))
|
| ︙ | ︙ |