Fossil SCM
Add a CSRF check for the forum post Close/Re-open button.
Commit
619d51440fa5b95f6fffd6dbc201dae6e3cf6e9f0c2b8e121310185650776f74
Parent
420d6e77e48e214…
1 file changed
+4
-2
+4
-2
| --- src/forum.c | ||
| +++ src/forum.c | ||
| @@ -902,10 +902,11 @@ | ||
| 902 | 902 | @ </form> |
| 903 | 903 | if( bSelect && forumpost_may_close() && iClosed>=0 ){ |
| 904 | 904 | int iHead = forumpost_head_rid(p->fpid); |
| 905 | 905 | @ <form method="post" \ |
| 906 | 906 | @ action='%R/forumpost_%s(iClosed > 0 ? "reopen" : "close")'> |
| 907 | + login_insert_csrf_secret(); | |
| 907 | 908 | @ <input type="hidden" name="fpid" value="%z(rid_to_uuid(iHead))" /> |
| 908 | 909 | @ <input type="submit" value='%s(iClosed ? "Re-open" : "Close")' /> |
| 909 | 910 | @ </form> |
| 910 | 911 | } |
| 911 | 912 | @ </div> |
| @@ -1419,10 +1420,11 @@ | ||
| 1419 | 1420 | login_check_credentials(); |
| 1420 | 1421 | if( forumpost_may_close()==0 ){ |
| 1421 | 1422 | login_needed(g.anon.Admin); |
| 1422 | 1423 | return; |
| 1423 | 1424 | } |
| 1425 | + cgi_csrf_safe(1); | |
| 1424 | 1426 | fpid = symbolic_name_to_rid(zFpid, "f"); |
| 1425 | 1427 | if( fpid<=0 ){ |
| 1426 | 1428 | webpage_error("Missing or invalid fpid query parameter"); |
| 1427 | 1429 | } |
| 1428 | 1430 | fClose = sqlite3_strglob("*_close*", g.zPath)==0; |
| @@ -1769,17 +1771,17 @@ | ||
| 1769 | 1771 | login_needed(g.anon.Setup); |
| 1770 | 1772 | return; |
| 1771 | 1773 | } |
| 1772 | 1774 | style_set_current_feature("forum"); |
| 1773 | 1775 | style_header("Forum Setup"); |
| 1774 | - | |
| 1776 | + | |
| 1775 | 1777 | @ <h2>Metrics</h2> |
| 1776 | 1778 | { |
| 1777 | 1779 | int nPosts = db_int(0, "SELECT COUNT(*) FROM event WHERE type='f'"); |
| 1778 | 1780 | @ <p><a href='%R/forum'>Forum posts</a>: |
| 1779 | 1781 | @ <a href='%R/timeline?y=f'>%d(nPosts)</a></p> |
| 1780 | - } | |
| 1782 | + } | |
| 1781 | 1783 | |
| 1782 | 1784 | @ <h2>Supervisors</h2> |
| 1783 | 1785 | @ <p>Users with capabilities 's', 'a', or '6'.</p> |
| 1784 | 1786 | { |
| 1785 | 1787 | Stmt q = empty_Stmt; |
| 1786 | 1788 |
| --- src/forum.c | |
| +++ src/forum.c | |
| @@ -902,10 +902,11 @@ | |
| 902 | @ </form> |
| 903 | if( bSelect && forumpost_may_close() && iClosed>=0 ){ |
| 904 | int iHead = forumpost_head_rid(p->fpid); |
| 905 | @ <form method="post" \ |
| 906 | @ action='%R/forumpost_%s(iClosed > 0 ? "reopen" : "close")'> |
| 907 | @ <input type="hidden" name="fpid" value="%z(rid_to_uuid(iHead))" /> |
| 908 | @ <input type="submit" value='%s(iClosed ? "Re-open" : "Close")' /> |
| 909 | @ </form> |
| 910 | } |
| 911 | @ </div> |
| @@ -1419,10 +1420,11 @@ | |
| 1419 | login_check_credentials(); |
| 1420 | if( forumpost_may_close()==0 ){ |
| 1421 | login_needed(g.anon.Admin); |
| 1422 | return; |
| 1423 | } |
| 1424 | fpid = symbolic_name_to_rid(zFpid, "f"); |
| 1425 | if( fpid<=0 ){ |
| 1426 | webpage_error("Missing or invalid fpid query parameter"); |
| 1427 | } |
| 1428 | fClose = sqlite3_strglob("*_close*", g.zPath)==0; |
| @@ -1769,17 +1771,17 @@ | |
| 1769 | login_needed(g.anon.Setup); |
| 1770 | return; |
| 1771 | } |
| 1772 | style_set_current_feature("forum"); |
| 1773 | style_header("Forum Setup"); |
| 1774 | |
| 1775 | @ <h2>Metrics</h2> |
| 1776 | { |
| 1777 | int nPosts = db_int(0, "SELECT COUNT(*) FROM event WHERE type='f'"); |
| 1778 | @ <p><a href='%R/forum'>Forum posts</a>: |
| 1779 | @ <a href='%R/timeline?y=f'>%d(nPosts)</a></p> |
| 1780 | } |
| 1781 | |
| 1782 | @ <h2>Supervisors</h2> |
| 1783 | @ <p>Users with capabilities 's', 'a', or '6'.</p> |
| 1784 | { |
| 1785 | Stmt q = empty_Stmt; |
| 1786 |
| --- src/forum.c | |
| +++ src/forum.c | |
| @@ -902,10 +902,11 @@ | |
| 902 | @ </form> |
| 903 | if( bSelect && forumpost_may_close() && iClosed>=0 ){ |
| 904 | int iHead = forumpost_head_rid(p->fpid); |
| 905 | @ <form method="post" \ |
| 906 | @ action='%R/forumpost_%s(iClosed > 0 ? "reopen" : "close")'> |
| 907 | login_insert_csrf_secret(); |
| 908 | @ <input type="hidden" name="fpid" value="%z(rid_to_uuid(iHead))" /> |
| 909 | @ <input type="submit" value='%s(iClosed ? "Re-open" : "Close")' /> |
| 910 | @ </form> |
| 911 | } |
| 912 | @ </div> |
| @@ -1419,10 +1420,11 @@ | |
| 1420 | login_check_credentials(); |
| 1421 | if( forumpost_may_close()==0 ){ |
| 1422 | login_needed(g.anon.Admin); |
| 1423 | return; |
| 1424 | } |
| 1425 | cgi_csrf_safe(1); |
| 1426 | fpid = symbolic_name_to_rid(zFpid, "f"); |
| 1427 | if( fpid<=0 ){ |
| 1428 | webpage_error("Missing or invalid fpid query parameter"); |
| 1429 | } |
| 1430 | fClose = sqlite3_strglob("*_close*", g.zPath)==0; |
| @@ -1769,17 +1771,17 @@ | |
| 1771 | login_needed(g.anon.Setup); |
| 1772 | return; |
| 1773 | } |
| 1774 | style_set_current_feature("forum"); |
| 1775 | style_header("Forum Setup"); |
| 1776 | |
| 1777 | @ <h2>Metrics</h2> |
| 1778 | { |
| 1779 | int nPosts = db_int(0, "SELECT COUNT(*) FROM event WHERE type='f'"); |
| 1780 | @ <p><a href='%R/forum'>Forum posts</a>: |
| 1781 | @ <a href='%R/timeline?y=f'>%d(nPosts)</a></p> |
| 1782 | } |
| 1783 | |
| 1784 | @ <h2>Supervisors</h2> |
| 1785 | @ <p>Users with capabilities 's', 'a', or '6'.</p> |
| 1786 | { |
| 1787 | Stmt q = empty_Stmt; |
| 1788 |