Fossil SCM

Correct previous check-in to fail fatally if the CSRF check fails.

stephan 2023-06-12 09:20 trunk

Commit 37dfb4c8d67aa86465d559b355493ac0ffebfab34038f31f7f39027e9a0c6d1c

Parent 619d51440fa5b95…

2 files changed +17 +1 -1

M src/cgi.c

+17

		--- src/cgi.c
		+++ src/cgi.c
		@@ -714,10 +714,27 @@
714	714	if( zMethod==0 ) return 0;
715	715	if( strcmp(zMethod,"POST")!=0 ) return 0;
716	716	}
717	717	return cgi_same_origin();
718	718	}
	719	+
	720	+/*
	721	+** If bLoginVerifyCsrf is true, this calls login_verify_csrf() to
	722	+** verify that the secret injected by login_insert_csrf_secret() is in
	723	+** the CGI environment and valid. If that fails, it does so
	724	+** fatally. If that passes and cgi_csrf_safe(1) returns false, this
	725	+** fails fatally with a message about a cross-site scripting attempt,
	726	+** else it returns without side effects.
	727	+*/
	728	+void cgi_csrf_verify(int bLoginVerifyCsrf){
	729	+ if( bLoginVerifyCsrf!=0 ){
	730	+ login_verify_csrf_secret();
	731	+ }
	732	+ if( 0==cgi_csrf_safe(1) ){
	733	+ fossil_fatal("Cross-site request forgery attempt");
	734	+ }
	735	+}
719	736
720	737	/*
721	738	** Information about all query parameters, post parameter, cookies and
722	739	** CGI environment variables are stored in a hash table as follows:
723	740	*/
724	741

	--- src/cgi.c
	+++ src/cgi.c
	@@ -714,10 +714,27 @@
714	if( zMethod==0 ) return 0;
715	if( strcmp(zMethod,"POST")!=0 ) return 0;
716	}
717	return cgi_same_origin();
718	}

















719
720	/*
721	** Information about all query parameters, post parameter, cookies and
722	** CGI environment variables are stored in a hash table as follows:
723	*/
724

	--- src/cgi.c
	+++ src/cgi.c
	@@ -714,10 +714,27 @@
714	if( zMethod==0 ) return 0;
715	if( strcmp(zMethod,"POST")!=0 ) return 0;
716	}
717	return cgi_same_origin();
718	}
719
720	/*
721	** If bLoginVerifyCsrf is true, this calls login_verify_csrf() to
722	** verify that the secret injected by login_insert_csrf_secret() is in
723	** the CGI environment and valid. If that fails, it does so
724	** fatally. If that passes and cgi_csrf_safe(1) returns false, this
725	** fails fatally with a message about a cross-site scripting attempt,
726	** else it returns without side effects.
727	*/
728	void cgi_csrf_verify(int bLoginVerifyCsrf){
729	if( bLoginVerifyCsrf!=0 ){
730	login_verify_csrf_secret();
731	}
732	if( 0==cgi_csrf_safe(1) ){
733	fossil_fatal("Cross-site request forgery attempt");
734	}
735	}
736
737	/*
738	** Information about all query parameters, post parameter, cookies and
739	** CGI environment variables are stored in a hash table as follows:
740	*/
741

M src/forum.c

+1 -1

		--- src/forum.c
		+++ src/forum.c
		@@ -1420,11 +1420,11 @@
1420	1420	login_check_credentials();
1421	1421	if( forumpost_may_close()==0 ){
1422	1422	login_needed(g.anon.Admin);
1423	1423	return;
1424	1424	}
1425		- cgi_csrf_safe(1);
	1425	+ cgi_csrf_verify(1);
1426	1426	fpid = symbolic_name_to_rid(zFpid, "f");
1427	1427	if( fpid<=0 ){
1428	1428	webpage_error("Missing or invalid fpid query parameter");
1429	1429	}
1430	1430	fClose = sqlite3_strglob("_close", g.zPath)==0;
1431	1431

	--- src/forum.c
	+++ src/forum.c
	@@ -1420,11 +1420,11 @@
1420	login_check_credentials();
1421	if( forumpost_may_close()==0 ){
1422	login_needed(g.anon.Admin);
1423	return;
1424	}
1425	cgi_csrf_safe(1);
1426	fpid = symbolic_name_to_rid(zFpid, "f");
1427	if( fpid<=0 ){
1428	webpage_error("Missing or invalid fpid query parameter");
1429	}
1430	fClose = sqlite3_strglob("_close", g.zPath)==0;
1431

	--- src/forum.c
	+++ src/forum.c
	@@ -1420,11 +1420,11 @@
1420	login_check_credentials();
1421	if( forumpost_may_close()==0 ){
1422	login_needed(g.anon.Admin);
1423	return;
1424	}
1425	cgi_csrf_verify(1);
1426	fpid = symbolic_name_to_rid(zFpid, "f");
1427	if( fpid<=0 ){
1428	webpage_error("Missing or invalid fpid query parameter");
1429	}
1430	fClose = sqlite3_strglob("_close", g.zPath)==0;
1431