Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
| Comment: | Add a CSRF check to /chat-send. |
|---|---|
| Downloads: | Tarball | ZIP archive |
| Timelines: | family | ancestors | descendants | both | trunk |
| Files: | files | file ages | folders |
| SHA3-256: |
4caa8cb9ff819f7eee8536f7f4892fca |
| User & Date: | stephan 2025-09-01 16:58:45.651 |
References
|
2025-12-23
| ||
| 14:50 | Only require CSRF checks for /chat-send if the request was authenticated by cookie. Follow-up to [4caa8cb9ff819f7e]. ... (check-in: 10006db404 user: drh tags: trunk) | |
Context
|
2025-09-01
| ||
| 17:17 | Finish writing a doc sentence started in the previous checkin. ... (check-in: 7a3d6d7057 user: stephan tags: trunk) | |
| 16:58 | Add a CSRF check to /chat-send. ... (check-in: 4caa8cb9ff user: stephan tags: trunk) | |
| 15:37 | Reject all GET/COOKIE vars in which the values contain control characters. ... (check-in: 0c1419a466 user: stephan tags: trunk) | |
Changes
Changes to src/chat.c.
| ︙ | ︙ | |||
387 388 389 390 391 392 393 394 395 396 397 398 399 400 |
if(fAsMessageList){
CX("}]}");
}else{
CX("}");
}
fossil_free(zTime);
}
/*
** WEBPAGE: chat-send hidden loadavg-exempt
**
** This page receives (via XHR) a new chat-message and/or a new file
** to be entered into the chat history.
**
| > > > > > > > > > > > > > > > | 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 |
if(fAsMessageList){
CX("}]}");
}else{
CX("}");
}
fossil_free(zTime);
}
/*
** Like chat_emit_permissions_error() but emits a single
** /chat-message-format JSON object
*/
static void chat_emit_csrf_error(void){
char * zTime = cgi_iso8601_datestamp();
cgi_set_content_type("application/json");
CX("{");
CX("\"isError\": true, \"xfrom\": null,");
CX("\"mtime\": %!j, \"lmtime\": %!j,", zTime, zTime);
CX("\"xmsg\": \"CSRF validation failure.\"");
CX("}");
fossil_free(zTime);
}
/*
** WEBPAGE: chat-send hidden loadavg-exempt
**
** This page receives (via XHR) a new chat-message and/or a new file
** to be entered into the chat history.
**
|
| ︙ | ︙ | |||
419 420 421 422 423 424 425 426 427 428 429 430 431 432 |
void chat_send_webpage(void){
int nByte;
const char *zMsg;
const char *zUserName;
login_check_credentials();
if( 0==g.perm.Chat ) {
chat_emit_permissions_error(0);
return;
}
zUserName = (g.zLogin && g.zLogin[0]) ? g.zLogin : "nobody";
nByte = atoi(PD("file:bytes","0"));
zMsg = PD("msg","");
db_begin_write();
db_unprotect(PROTECT_READONLY);
| > > > | 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 |
void chat_send_webpage(void){
int nByte;
const char *zMsg;
const char *zUserName;
login_check_credentials();
if( 0==g.perm.Chat ) {
chat_emit_permissions_error(0);
return;
}else if( 0==cgi_csrf_safe(1) ){
chat_emit_csrf_error();
return;
}
zUserName = (g.zLogin && g.zLogin[0]) ? g.zLogin : "nobody";
nByte = atoi(PD("file:bytes","0"));
zMsg = PD("msg","");
db_begin_write();
db_unprotect(PROTECT_READONLY);
|
| ︙ | ︙ |
Changes to src/fossil.dom.js.
| ︙ | ︙ | |||
841 842 843 844 845 846 847 |
};
/**
Parses a string as HTML.
Usages:
| | | | 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 |
};
/**
Parses a string as HTML.
Usages:
Array parseHtml(htmlString)
DOMElement parseHtml(DOMElement target, htmlString)
The first form parses the string as HTML and returns an Array of
all elements parsed from it. If string is falsy then it returns
an empty array.
The second form parses the HTML string and appends all elements
to the given target element using dom.append(), then returns the
|
| ︙ | ︙ |