Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
| Comment: | Cleanup forms on the skin editor page. |
|---|---|
| Downloads: | Tarball | ZIP archive |
| Timelines: | family | ancestors | descendants | both | csrf-defense-enhancement |
| Files: | files | file ages | folders |
| SHA3-256: |
5feae3fd75ca0ce2e0b7672fd14d1b0e |
| User & Date: | drh 2023-09-18 14:29:11.476 |
Context
|
2023-09-18
| ||
| 14:32 | Strengthen CSRF requirements for the skin editor. check-in: 6912636dc3 user: drh tags: csrf-defense-enhancement | |
| 14:29 | Cleanup forms on the skin editor page. check-in: 5feae3fd75 user: drh tags: csrf-defense-enhancement | |
| 14:13 | Stronger CSRF token based on a SHA1 hash of the login cookie. check-in: ff3746c4c2 user: drh tags: csrf-defense-enhancement | |
Changes
Changes to src/skins.c.
| ︙ | ︙ | |||
529 530 531 532 533 534 535 |
zCurrent = getSkin(0);
for(i=0; i<count(aBuiltinSkin); i++){
aBuiltinSkin[i].zSQL = getSkin(aBuiltinSkin[i].zLabel);
}
style_set_current_feature("skins");
| | | 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 |
zCurrent = getSkin(0);
for(i=0; i<count(aBuiltinSkin); i++){
aBuiltinSkin[i].zSQL = getSkin(aBuiltinSkin[i].zLabel);
}
style_set_current_feature("skins");
if( cgi_csrf_safe(2) ){
/* Process requests to delete a user-defined skin */
if( P("del1") && (zName = skinVarName(P("sn"), 1))!=0 ){
style_header("Confirm Custom Skin Delete");
@ <form action="%R/setup_skin_admin" method="post"><div>
@ <p>Deletion of a custom skin is a permanent action that cannot
@ be undone. Please confirm that this is what you want to do:</p>
@ <input type="hidden" name="sn" value="%h(P("sn"))">
|
| ︙ | ︙ | |||
626 627 628 629 630 631 632 633 634 635 636 637 638 639 |
if( fossil_strcmp(aBuiltinSkin[i].zSQL, zCurrent)==0 ){
@ (Currently In Use)
seenCurrent = 1;
}else{
@ <form action="%R/setup_skin_admin" method="post">
@ <input type="hidden" name="sn" value="%h(z)">
@ <input type="submit" name="load" value="Install">
if( pAltSkin==&aBuiltinSkin[i] ){
@ (Current override)
}
@ </form>
}
@ </tr>
}
| > | 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 |
if( fossil_strcmp(aBuiltinSkin[i].zSQL, zCurrent)==0 ){
@ (Currently In Use)
seenCurrent = 1;
}else{
@ <form action="%R/setup_skin_admin" method="post">
@ <input type="hidden" name="sn" value="%h(z)">
@ <input type="submit" name="load" value="Install">
login_insert_csrf_secret();
if( pAltSkin==&aBuiltinSkin[i] ){
@ (Current override)
}
@ </form>
}
@ </tr>
}
|
| ︙ | ︙ | |||
650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 |
if( once ){
once = 0;
@ <tr><td colspan=4><h2>Skins saved as "skin:*' entries \
@ in the CONFIG table:</h2></td></tr>
}
@ <tr><td>%d(i).<td>%h(zN)<td> <td>
@ <form action="%R/setup_skin_admin" method="post">
if( fossil_strcmp(zV, zCurrent)==0 ){
@ (Currently In Use)
seenCurrent = 1;
}else{
@ <input type="submit" name="load" value="Install">
@ <input type="submit" name="del1" value="Delete">
}
@ <input type="submit" name="rename" value="Rename">
@ <input type="hidden" name="sn" value="%h(zN)">
@ </form></tr>
}
db_finalize(&q);
if( !seenCurrent ){
i++;
@ <tr><td colspan=4><h2>Current skin in css/header/footer/details entries \
@ in the CONFIG table:</h2></td></tr>
@ <tr><td>%d(i).<td><i>Current</i><td> <td>
@ <form action="%R/setup_skin_admin" method="post">
@ <input type="submit" name="save" value="Backup">
@ </form>
}
db_prepare(&q,
"SELECT DISTINCT substr(name, 1, 6) FROM config"
" WHERE name GLOB 'draft[1-9]-*'"
" ORDER BY name"
);
once = 1;
while( db_step(&q)==SQLITE_ROW ){
const char *zN = db_column_text(&q, 0);
i++;
if( once ){
once = 0;
@ <tr><td colspan=4><h2>Draft skins stored as "draft[1-9]-*' entries \
@ in the CONFIG table:</h2></td></tr>
}
@ <tr><td>%d(i).<td>%h(zN)<td> <td>
@ <form action="%R/setup_skin_admin" method="post">
@ <input type="submit" name="draftdel" value="Delete">
@ <input type="hidden" name="name" value="%h(zN)">
@ </form></tr>
}
db_finalize(&q);
@ </table>
| > > > | 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 |
if( once ){
once = 0;
@ <tr><td colspan=4><h2>Skins saved as "skin:*' entries \
@ in the CONFIG table:</h2></td></tr>
}
@ <tr><td>%d(i).<td>%h(zN)<td> <td>
@ <form action="%R/setup_skin_admin" method="post">
login_insert_csrf_secret();
if( fossil_strcmp(zV, zCurrent)==0 ){
@ (Currently In Use)
seenCurrent = 1;
}else{
@ <input type="submit" name="load" value="Install">
@ <input type="submit" name="del1" value="Delete">
}
@ <input type="submit" name="rename" value="Rename">
@ <input type="hidden" name="sn" value="%h(zN)">
@ </form></tr>
}
db_finalize(&q);
if( !seenCurrent ){
i++;
@ <tr><td colspan=4><h2>Current skin in css/header/footer/details entries \
@ in the CONFIG table:</h2></td></tr>
@ <tr><td>%d(i).<td><i>Current</i><td> <td>
@ <form action="%R/setup_skin_admin" method="post">
@ <input type="submit" name="save" value="Backup">
login_insert_csrf_secret();
@ </form>
}
db_prepare(&q,
"SELECT DISTINCT substr(name, 1, 6) FROM config"
" WHERE name GLOB 'draft[1-9]-*'"
" ORDER BY name"
);
once = 1;
while( db_step(&q)==SQLITE_ROW ){
const char *zN = db_column_text(&q, 0);
i++;
if( once ){
once = 0;
@ <tr><td colspan=4><h2>Draft skins stored as "draft[1-9]-*' entries \
@ in the CONFIG table:</h2></td></tr>
}
@ <tr><td>%d(i).<td>%h(zN)<td> <td>
@ <form action="%R/setup_skin_admin" method="post">
login_insert_csrf_secret();
@ <input type="submit" name="draftdel" value="Delete">
@ <input type="hidden" name="name" value="%h(zN)">
@ </form></tr>
}
db_finalize(&q);
@ </table>
|
| ︙ | ︙ | |||
1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050 1051 1052 1053 |
@ <option value='%d(i)' selected>draft%d(i)</option>
}else{
@ <option value='%d(i)'>draft%d(i)</option>
}
}
@ </select>
@ </p>
@
@ <a name='step2'></a>
@ <h1>Step 2: Authenticate</h1>
@
if( isSetup ){
@ <p>As an administrator, you can make any edits you like to this or
@ any other skin. You can also authorize other users to edit this
| > | 1044 1045 1046 1047 1048 1049 1050 1051 1052 1053 1054 1055 1056 1057 1058 |
@ <option value='%d(i)' selected>draft%d(i)</option>
}else{
@ <option value='%d(i)'>draft%d(i)</option>
}
}
@ </select>
@ </p>
@ </form>
@
@ <a name='step2'></a>
@ <h1>Step 2: Authenticate</h1>
@
if( isSetup ){
@ <p>As an administrator, you can make any edits you like to this or
@ any other skin. You can also authorize other users to edit this
|
| ︙ | ︙ |