Fossil SCM

Cleanup forms on the skin editor page.

drh 2023-09-18 14:29 csrf-defense-enhancement

Commit 5feae3fd75ca0ce2e0b7672fd14d1b0e493ab006111e3190feb34a74fddf20ea

Parent ff3746c4c214a50…

1 file changed +6 -1

M src/skins.c

+6 -1

		--- src/skins.c
		+++ src/skins.c
		@@ -531,11 +531,11 @@
531	531	aBuiltinSkin[i].zSQL = getSkin(aBuiltinSkin[i].zLabel);
532	532	}
533	533
534	534	style_set_current_feature("skins");
535	535
536		- if( cgi_csrf_safe(1) ){
	536	+ if( cgi_csrf_safe(2) ){
537	537	/* Process requests to delete a user-defined skin */
538	538	if( P("del1") && (zName = skinVarName(P("sn"), 1))!=0 ){
539	539	style_header("Confirm Custom Skin Delete");
540	540	@ <form action="%R/setup_skin_admin" method="post"><div>
541	541	@ <p>Deletion of a custom skin is a permanent action that cannot
		@@ -628,10 +628,11 @@
628	628	seenCurrent = 1;
629	629	}else{
630	630	@ <form action="%R/setup_skin_admin" method="post">
631	631	@ <input type="hidden" name="sn" value="%h(z)">
632	632	@ <input type="submit" name="load" value="Install">
	633	+ login_insert_csrf_secret();
633	634	if( pAltSkin==&aBuiltinSkin[i] ){
634	635	@ (Current override)
635	636	}
636	637	@ </form>
637	638	}
		@@ -652,10 +653,11 @@
652	653	@ <tr><td colspan=4><h2>Skins saved as "skin:*' entries \
653	654	@ in the CONFIG table:</h2></td></tr>
654	655	}
655	656	@ <tr><td>%d(i).<td>%h(zN)<td>  <td>
656	657	@ <form action="%R/setup_skin_admin" method="post">
	658	+ login_insert_csrf_secret();
657	659	if( fossil_strcmp(zV, zCurrent)==0 ){
658	660	@ (Currently In Use)
659	661	seenCurrent = 1;
660	662	}else{
661	663	@ <input type="submit" name="load" value="Install">
		@@ -671,10 +673,11 @@
671	673	@ <tr><td colspan=4><h2>Current skin in css/header/footer/details entries \
672	674	@ in the CONFIG table:</h2></td></tr>
673	675	@ <tr><td>%d(i).<td><i>Current</i><td>  <td>
674	676	@ <form action="%R/setup_skin_admin" method="post">
675	677	@ <input type="submit" name="save" value="Backup">
	678	+ login_insert_csrf_secret();
676	679	@ </form>
677	680	}
678	681	db_prepare(&q,
679	682	"SELECT DISTINCT substr(name, 1, 6) FROM config"
680	683	" WHERE name GLOB 'draft[1-9]-*'"
		@@ -689,10 +692,11 @@
689	692	@ <tr><td colspan=4><h2>Draft skins stored as "draft[1-9]-*' entries \
690	693	@ in the CONFIG table:</h2></td></tr>
691	694	}
692	695	@ <tr><td>%d(i).<td>%h(zN)<td>  <td>
693	696	@ <form action="%R/setup_skin_admin" method="post">
	697	+ login_insert_csrf_secret();
694	698	@ <input type="submit" name="draftdel" value="Delete">
695	699	@ <input type="hidden" name="name" value="%h(zN)">
696	700	@ </form></tr>
697	701	}
698	702	db_finalize(&q);
		@@ -1042,10 +1046,11 @@
1042	1046	@ <option value='%d(i)'>draft%d(i)</option>
1043	1047	}
1044	1048	}
1045	1049	@ </select>
1046	1050	@ </p>
	1051	+ @ </form>
1047	1052	@
1048	1053	@ <a name='step2'></a>
1049	1054	@ <h1>Step 2: Authenticate</h1>
1050	1055	@
1051	1056	if( isSetup ){
1052	1057

	--- src/skins.c
	+++ src/skins.c
	@@ -531,11 +531,11 @@
531	aBuiltinSkin[i].zSQL = getSkin(aBuiltinSkin[i].zLabel);
532	}
533
534	style_set_current_feature("skins");
535
536	if( cgi_csrf_safe(1) ){
537	/* Process requests to delete a user-defined skin */
538	if( P("del1") && (zName = skinVarName(P("sn"), 1))!=0 ){
539	style_header("Confirm Custom Skin Delete");
540	@ <form action="%R/setup_skin_admin" method="post"><div>
541	@ <p>Deletion of a custom skin is a permanent action that cannot
	@@ -628,10 +628,11 @@
628	seenCurrent = 1;
629	}else{
630	@ <form action="%R/setup_skin_admin" method="post">
631	@ <input type="hidden" name="sn" value="%h(z)">
632	@ <input type="submit" name="load" value="Install">

633	if( pAltSkin==&aBuiltinSkin[i] ){
634	@ (Current override)
635	}
636	@ </form>
637	}
	@@ -652,10 +653,11 @@
652	@ <tr><td colspan=4><h2>Skins saved as "skin:*' entries \
653	@ in the CONFIG table:</h2></td></tr>
654	}
655	@ <tr><td>%d(i).<td>%h(zN)<td>  <td>
656	@ <form action="%R/setup_skin_admin" method="post">

657	if( fossil_strcmp(zV, zCurrent)==0 ){
658	@ (Currently In Use)
659	seenCurrent = 1;
660	}else{
661	@ <input type="submit" name="load" value="Install">
	@@ -671,10 +673,11 @@
671	@ <tr><td colspan=4><h2>Current skin in css/header/footer/details entries \
672	@ in the CONFIG table:</h2></td></tr>
673	@ <tr><td>%d(i).<td><i>Current</i><td>  <td>
674	@ <form action="%R/setup_skin_admin" method="post">
675	@ <input type="submit" name="save" value="Backup">

676	@ </form>
677	}
678	db_prepare(&q,
679	"SELECT DISTINCT substr(name, 1, 6) FROM config"
680	" WHERE name GLOB 'draft[1-9]-*'"
	@@ -689,10 +692,11 @@
689	@ <tr><td colspan=4><h2>Draft skins stored as "draft[1-9]-*' entries \
690	@ in the CONFIG table:</h2></td></tr>
691	}
692	@ <tr><td>%d(i).<td>%h(zN)<td>  <td>
693	@ <form action="%R/setup_skin_admin" method="post">

694	@ <input type="submit" name="draftdel" value="Delete">
695	@ <input type="hidden" name="name" value="%h(zN)">
696	@ </form></tr>
697	}
698	db_finalize(&q);
	@@ -1042,10 +1046,11 @@
1042	@ <option value='%d(i)'>draft%d(i)</option>
1043	}
1044	}
1045	@ </select>
1046	@ </p>

1047	@
1048	@ <a name='step2'></a>
1049	@ <h1>Step 2: Authenticate</h1>
1050	@
1051	if( isSetup ){
1052

	--- src/skins.c
	+++ src/skins.c
	@@ -531,11 +531,11 @@
531	aBuiltinSkin[i].zSQL = getSkin(aBuiltinSkin[i].zLabel);
532	}
533
534	style_set_current_feature("skins");
535
536	if( cgi_csrf_safe(2) ){
537	/* Process requests to delete a user-defined skin */
538	if( P("del1") && (zName = skinVarName(P("sn"), 1))!=0 ){
539	style_header("Confirm Custom Skin Delete");
540	@ <form action="%R/setup_skin_admin" method="post"><div>
541	@ <p>Deletion of a custom skin is a permanent action that cannot
	@@ -628,10 +628,11 @@
628	seenCurrent = 1;
629	}else{
630	@ <form action="%R/setup_skin_admin" method="post">
631	@ <input type="hidden" name="sn" value="%h(z)">
632	@ <input type="submit" name="load" value="Install">
633	login_insert_csrf_secret();
634	if( pAltSkin==&aBuiltinSkin[i] ){
635	@ (Current override)
636	}
637	@ </form>
638	}
	@@ -652,10 +653,11 @@
653	@ <tr><td colspan=4><h2>Skins saved as "skin:*' entries \
654	@ in the CONFIG table:</h2></td></tr>
655	}
656	@ <tr><td>%d(i).<td>%h(zN)<td>  <td>
657	@ <form action="%R/setup_skin_admin" method="post">
658	login_insert_csrf_secret();
659	if( fossil_strcmp(zV, zCurrent)==0 ){
660	@ (Currently In Use)
661	seenCurrent = 1;
662	}else{
663	@ <input type="submit" name="load" value="Install">
	@@ -671,10 +673,11 @@
673	@ <tr><td colspan=4><h2>Current skin in css/header/footer/details entries \
674	@ in the CONFIG table:</h2></td></tr>
675	@ <tr><td>%d(i).<td><i>Current</i><td>  <td>
676	@ <form action="%R/setup_skin_admin" method="post">
677	@ <input type="submit" name="save" value="Backup">
678	login_insert_csrf_secret();
679	@ </form>
680	}
681	db_prepare(&q,
682	"SELECT DISTINCT substr(name, 1, 6) FROM config"
683	" WHERE name GLOB 'draft[1-9]-*'"
	@@ -689,10 +692,11 @@
692	@ <tr><td colspan=4><h2>Draft skins stored as "draft[1-9]-*' entries \
693	@ in the CONFIG table:</h2></td></tr>
694	}
695	@ <tr><td>%d(i).<td>%h(zN)<td>  <td>
696	@ <form action="%R/setup_skin_admin" method="post">
697	login_insert_csrf_secret();
698	@ <input type="submit" name="draftdel" value="Delete">
699	@ <input type="hidden" name="name" value="%h(zN)">
700	@ </form></tr>
701	}
702	db_finalize(&q);
	@@ -1042,10 +1046,11 @@
1046	@ <option value='%d(i)'>draft%d(i)</option>
1047	}
1048	}
1049	@ </select>
1050	@ </p>
1051	@ </form>
1052	@
1053	@ <a name='step2'></a>
1054	@ <h1>Step 2: Authenticate</h1>
1055	@
1056	if( isSetup ){
1057

Fossil SCM

Keyboard Shortcuts