Fossil SCM
New uses for cgi_csrf_safe().
Commit
c9efdfcaf4b91d0de9cd2c7c717e1efb6f23faa79b247a0b4a3012b361fa2551
Parent
047802a3c3c5503…
2 files changed
+1
-1
+68
-66
+1
-1
| --- src/info.c | ||
| +++ src/info.c | ||
| @@ -2618,11 +2618,11 @@ | ||
| 2618 | 2618 | zNewTag = PDT("tagname",""); |
| 2619 | 2619 | zNewBrFlag = P("newbr") ? " checked" : ""; |
| 2620 | 2620 | zNewBranch = PDT("brname",""); |
| 2621 | 2621 | zCloseFlag = P("close") ? " checked" : ""; |
| 2622 | 2622 | zHideFlag = P("hide") ? " checked" : ""; |
| 2623 | - if( P("apply") ){ | |
| 2623 | + if( P("apply") && cgi_csrf_safe(1) ){ | |
| 2624 | 2624 | Blob ctrl; |
| 2625 | 2625 | char *zNow; |
| 2626 | 2626 | |
| 2627 | 2627 | login_verify_csrf_secret(); |
| 2628 | 2628 | blob_zero(&ctrl); |
| 2629 | 2629 |
| --- src/info.c | |
| +++ src/info.c | |
| @@ -2618,11 +2618,11 @@ | |
| 2618 | zNewTag = PDT("tagname",""); |
| 2619 | zNewBrFlag = P("newbr") ? " checked" : ""; |
| 2620 | zNewBranch = PDT("brname",""); |
| 2621 | zCloseFlag = P("close") ? " checked" : ""; |
| 2622 | zHideFlag = P("hide") ? " checked" : ""; |
| 2623 | if( P("apply") ){ |
| 2624 | Blob ctrl; |
| 2625 | char *zNow; |
| 2626 | |
| 2627 | login_verify_csrf_secret(); |
| 2628 | blob_zero(&ctrl); |
| 2629 |
| --- src/info.c | |
| +++ src/info.c | |
| @@ -2618,11 +2618,11 @@ | |
| 2618 | zNewTag = PDT("tagname",""); |
| 2619 | zNewBrFlag = P("newbr") ? " checked" : ""; |
| 2620 | zNewBranch = PDT("brname",""); |
| 2621 | zCloseFlag = P("close") ? " checked" : ""; |
| 2622 | zHideFlag = P("hide") ? " checked" : ""; |
| 2623 | if( P("apply") && cgi_csrf_safe(1) ){ |
| 2624 | Blob ctrl; |
| 2625 | char *zNow; |
| 2626 | |
| 2627 | login_verify_csrf_secret(); |
| 2628 | blob_zero(&ctrl); |
| 2629 |
+68
-66
| --- src/skins.c | ||
| +++ src/skins.c | ||
| @@ -467,76 +467,78 @@ | ||
| 467 | 467 | zCurrent = getSkin(0); |
| 468 | 468 | for(i=0; i<count(aBuiltinSkin); i++){ |
| 469 | 469 | aBuiltinSkin[i].zSQL = getSkin(aBuiltinSkin[i].zLabel); |
| 470 | 470 | } |
| 471 | 471 | |
| 472 | - /* Process requests to delete a user-defined skin */ | |
| 473 | - if( P("del1") && (zName = skinVarName(P("sn"), 1))!=0 ){ | |
| 474 | - style_header("Confirm Custom Skin Delete"); | |
| 475 | - @ <form action="%s(g.zTop)/setup_skin_admin" method="post"><div> | |
| 476 | - @ <p>Deletion of a custom skin is a permanent action that cannot | |
| 477 | - @ be undone. Please confirm that this is what you want to do:</p> | |
| 478 | - @ <input type="hidden" name="sn" value="%h(P("sn"))" /> | |
| 479 | - @ <input type="submit" name="del2" value="Confirm - Delete The Skin" /> | |
| 480 | - @ <input type="submit" name="cancel" value="Cancel - Do Not Delete" /> | |
| 481 | - login_insert_csrf_secret(); | |
| 482 | - @ </div></form> | |
| 483 | - style_footer(); | |
| 484 | - return; | |
| 485 | - } | |
| 486 | - if( P("del2")!=0 && (zName = skinVarName(P("sn"), 1))!=0 ){ | |
| 487 | - db_multi_exec("DELETE FROM config WHERE name=%Q", zName); | |
| 488 | - } | |
| 489 | - if( P("draftdel")!=0 ){ | |
| 490 | - const char *zDraft = P("name"); | |
| 491 | - if( sqlite3_strglob("draft[1-9]",zDraft)==0 ){ | |
| 492 | - db_multi_exec("DELETE FROM config WHERE name GLOB '%q-*'", zDraft); | |
| 493 | - } | |
| 494 | - } | |
| 495 | - if( skinRename() ) return; | |
| 496 | - if( skinSave(zCurrent) ) return; | |
| 497 | - | |
| 498 | - /* The user pressed one of the "Install" buttons. */ | |
| 499 | - if( P("load") && (z = P("sn"))!=0 && z[0] ){ | |
| 500 | - int seen = 0; | |
| 501 | - | |
| 502 | - /* Check to see if the current skin is already saved. If it is, there | |
| 503 | - ** is no need to create a backup */ | |
| 504 | - zCurrent = getSkin(0); | |
| 505 | - for(i=0; i<count(aBuiltinSkin); i++){ | |
| 506 | - if( fossil_strcmp(aBuiltinSkin[i].zSQL, zCurrent)==0 ){ | |
| 507 | - seen = 1; | |
| 508 | - break; | |
| 509 | - } | |
| 510 | - } | |
| 511 | - if( !seen ){ | |
| 512 | - seen = db_exists("SELECT 1 FROM config WHERE name GLOB 'skin:*'" | |
| 513 | - " AND value=%Q", zCurrent); | |
| 514 | - if( !seen ){ | |
| 515 | - db_multi_exec( | |
| 516 | - "INSERT INTO config(name,value,mtime) VALUES(" | |
| 517 | - " strftime('skin:Backup On %%Y-%%m-%%d %%H:%%M:%%S')," | |
| 518 | - " %Q,now())", zCurrent | |
| 519 | - ); | |
| 520 | - } | |
| 521 | - } | |
| 522 | - seen = 0; | |
| 523 | - for(i=0; i<count(aBuiltinSkin); i++){ | |
| 524 | - if( fossil_strcmp(aBuiltinSkin[i].zDesc, z)==0 ){ | |
| 525 | - seen = 1; | |
| 526 | - zCurrent = aBuiltinSkin[i].zSQL; | |
| 527 | - db_multi_exec("%s", zCurrent/*safe-for-%s*/); | |
| 528 | - break; | |
| 529 | - } | |
| 530 | - } | |
| 531 | - if( !seen ){ | |
| 532 | - zName = skinVarName(z,0); | |
| 533 | - zCurrent = db_get(zName, 0); | |
| 534 | - db_multi_exec("%s", zCurrent/*safe-for-%s*/); | |
| 535 | - } | |
| 536 | - } | |
| 537 | - | |
| 472 | + if( cgi_csrf_safe(1) ){ | |
| 473 | + /* Process requests to delete a user-defined skin */ | |
| 474 | + if( P("del1") && (zName = skinVarName(P("sn"), 1))!=0 ){ | |
| 475 | + style_header("Confirm Custom Skin Delete"); | |
| 476 | + @ <form action="%s(g.zTop)/setup_skin_admin" method="post"><div> | |
| 477 | + @ <p>Deletion of a custom skin is a permanent action that cannot | |
| 478 | + @ be undone. Please confirm that this is what you want to do:</p> | |
| 479 | + @ <input type="hidden" name="sn" value="%h(P("sn"))" /> | |
| 480 | + @ <input type="submit" name="del2" value="Confirm - Delete The Skin" /> | |
| 481 | + @ <input type="submit" name="cancel" value="Cancel - Do Not Delete" /> | |
| 482 | + login_insert_csrf_secret(); | |
| 483 | + @ </div></form> | |
| 484 | + style_footer(); | |
| 485 | + return; | |
| 486 | + } | |
| 487 | + if( P("del2")!=0 && (zName = skinVarName(P("sn"), 1))!=0 ){ | |
| 488 | + db_multi_exec("DELETE FROM config WHERE name=%Q", zName); | |
| 489 | + } | |
| 490 | + if( P("draftdel")!=0 ){ | |
| 491 | + const char *zDraft = P("name"); | |
| 492 | + if( sqlite3_strglob("draft[1-9]",zDraft)==0 ){ | |
| 493 | + db_multi_exec("DELETE FROM config WHERE name GLOB '%q-*'", zDraft); | |
| 494 | + } | |
| 495 | + } | |
| 496 | + if( skinRename() ) return; | |
| 497 | + if( skinSave(zCurrent) ) return; | |
| 498 | + | |
| 499 | + /* The user pressed one of the "Install" buttons. */ | |
| 500 | + if( P("load") && (z = P("sn"))!=0 && z[0] ){ | |
| 501 | + int seen = 0; | |
| 502 | + | |
| 503 | + /* Check to see if the current skin is already saved. If it is, there | |
| 504 | + ** is no need to create a backup */ | |
| 505 | + zCurrent = getSkin(0); | |
| 506 | + for(i=0; i<count(aBuiltinSkin); i++){ | |
| 507 | + if( fossil_strcmp(aBuiltinSkin[i].zSQL, zCurrent)==0 ){ | |
| 508 | + seen = 1; | |
| 509 | + break; | |
| 510 | + } | |
| 511 | + } | |
| 512 | + if( !seen ){ | |
| 513 | + seen = db_exists("SELECT 1 FROM config WHERE name GLOB 'skin:*'" | |
| 514 | + " AND value=%Q", zCurrent); | |
| 515 | + if( !seen ){ | |
| 516 | + db_multi_exec( | |
| 517 | + "INSERT INTO config(name,value,mtime) VALUES(" | |
| 518 | + " strftime('skin:Backup On %%Y-%%m-%%d %%H:%%M:%%S')," | |
| 519 | + " %Q,now())", zCurrent | |
| 520 | + ); | |
| 521 | + } | |
| 522 | + } | |
| 523 | + seen = 0; | |
| 524 | + for(i=0; i<count(aBuiltinSkin); i++){ | |
| 525 | + if( fossil_strcmp(aBuiltinSkin[i].zDesc, z)==0 ){ | |
| 526 | + seen = 1; | |
| 527 | + zCurrent = aBuiltinSkin[i].zSQL; | |
| 528 | + db_multi_exec("%s", zCurrent/*safe-for-%s*/); | |
| 529 | + break; | |
| 530 | + } | |
| 531 | + } | |
| 532 | + if( !seen ){ | |
| 533 | + zName = skinVarName(z,0); | |
| 534 | + zCurrent = db_get(zName, 0); | |
| 535 | + db_multi_exec("%s", zCurrent/*safe-for-%s*/); | |
| 536 | + } | |
| 537 | + } | |
| 538 | + } | |
| 539 | + | |
| 538 | 540 | style_header("Skins"); |
| 539 | 541 | if( zErr ){ |
| 540 | 542 | @ <p style="color:red">%h(zErr)</p> |
| 541 | 543 | } |
| 542 | 544 | @ <table border="0"> |
| 543 | 545 |
| --- src/skins.c | |
| +++ src/skins.c | |
| @@ -467,76 +467,78 @@ | |
| 467 | zCurrent = getSkin(0); |
| 468 | for(i=0; i<count(aBuiltinSkin); i++){ |
| 469 | aBuiltinSkin[i].zSQL = getSkin(aBuiltinSkin[i].zLabel); |
| 470 | } |
| 471 | |
| 472 | /* Process requests to delete a user-defined skin */ |
| 473 | if( P("del1") && (zName = skinVarName(P("sn"), 1))!=0 ){ |
| 474 | style_header("Confirm Custom Skin Delete"); |
| 475 | @ <form action="%s(g.zTop)/setup_skin_admin" method="post"><div> |
| 476 | @ <p>Deletion of a custom skin is a permanent action that cannot |
| 477 | @ be undone. Please confirm that this is what you want to do:</p> |
| 478 | @ <input type="hidden" name="sn" value="%h(P("sn"))" /> |
| 479 | @ <input type="submit" name="del2" value="Confirm - Delete The Skin" /> |
| 480 | @ <input type="submit" name="cancel" value="Cancel - Do Not Delete" /> |
| 481 | login_insert_csrf_secret(); |
| 482 | @ </div></form> |
| 483 | style_footer(); |
| 484 | return; |
| 485 | } |
| 486 | if( P("del2")!=0 && (zName = skinVarName(P("sn"), 1))!=0 ){ |
| 487 | db_multi_exec("DELETE FROM config WHERE name=%Q", zName); |
| 488 | } |
| 489 | if( P("draftdel")!=0 ){ |
| 490 | const char *zDraft = P("name"); |
| 491 | if( sqlite3_strglob("draft[1-9]",zDraft)==0 ){ |
| 492 | db_multi_exec("DELETE FROM config WHERE name GLOB '%q-*'", zDraft); |
| 493 | } |
| 494 | } |
| 495 | if( skinRename() ) return; |
| 496 | if( skinSave(zCurrent) ) return; |
| 497 | |
| 498 | /* The user pressed one of the "Install" buttons. */ |
| 499 | if( P("load") && (z = P("sn"))!=0 && z[0] ){ |
| 500 | int seen = 0; |
| 501 | |
| 502 | /* Check to see if the current skin is already saved. If it is, there |
| 503 | ** is no need to create a backup */ |
| 504 | zCurrent = getSkin(0); |
| 505 | for(i=0; i<count(aBuiltinSkin); i++){ |
| 506 | if( fossil_strcmp(aBuiltinSkin[i].zSQL, zCurrent)==0 ){ |
| 507 | seen = 1; |
| 508 | break; |
| 509 | } |
| 510 | } |
| 511 | if( !seen ){ |
| 512 | seen = db_exists("SELECT 1 FROM config WHERE name GLOB 'skin:*'" |
| 513 | " AND value=%Q", zCurrent); |
| 514 | if( !seen ){ |
| 515 | db_multi_exec( |
| 516 | "INSERT INTO config(name,value,mtime) VALUES(" |
| 517 | " strftime('skin:Backup On %%Y-%%m-%%d %%H:%%M:%%S')," |
| 518 | " %Q,now())", zCurrent |
| 519 | ); |
| 520 | } |
| 521 | } |
| 522 | seen = 0; |
| 523 | for(i=0; i<count(aBuiltinSkin); i++){ |
| 524 | if( fossil_strcmp(aBuiltinSkin[i].zDesc, z)==0 ){ |
| 525 | seen = 1; |
| 526 | zCurrent = aBuiltinSkin[i].zSQL; |
| 527 | db_multi_exec("%s", zCurrent/*safe-for-%s*/); |
| 528 | break; |
| 529 | } |
| 530 | } |
| 531 | if( !seen ){ |
| 532 | zName = skinVarName(z,0); |
| 533 | zCurrent = db_get(zName, 0); |
| 534 | db_multi_exec("%s", zCurrent/*safe-for-%s*/); |
| 535 | } |
| 536 | } |
| 537 | |
| 538 | style_header("Skins"); |
| 539 | if( zErr ){ |
| 540 | @ <p style="color:red">%h(zErr)</p> |
| 541 | } |
| 542 | @ <table border="0"> |
| 543 |
| --- src/skins.c | |
| +++ src/skins.c | |
| @@ -467,76 +467,78 @@ | |
| 467 | zCurrent = getSkin(0); |
| 468 | for(i=0; i<count(aBuiltinSkin); i++){ |
| 469 | aBuiltinSkin[i].zSQL = getSkin(aBuiltinSkin[i].zLabel); |
| 470 | } |
| 471 | |
| 472 | if( cgi_csrf_safe(1) ){ |
| 473 | /* Process requests to delete a user-defined skin */ |
| 474 | if( P("del1") && (zName = skinVarName(P("sn"), 1))!=0 ){ |
| 475 | style_header("Confirm Custom Skin Delete"); |
| 476 | @ <form action="%s(g.zTop)/setup_skin_admin" method="post"><div> |
| 477 | @ <p>Deletion of a custom skin is a permanent action that cannot |
| 478 | @ be undone. Please confirm that this is what you want to do:</p> |
| 479 | @ <input type="hidden" name="sn" value="%h(P("sn"))" /> |
| 480 | @ <input type="submit" name="del2" value="Confirm - Delete The Skin" /> |
| 481 | @ <input type="submit" name="cancel" value="Cancel - Do Not Delete" /> |
| 482 | login_insert_csrf_secret(); |
| 483 | @ </div></form> |
| 484 | style_footer(); |
| 485 | return; |
| 486 | } |
| 487 | if( P("del2")!=0 && (zName = skinVarName(P("sn"), 1))!=0 ){ |
| 488 | db_multi_exec("DELETE FROM config WHERE name=%Q", zName); |
| 489 | } |
| 490 | if( P("draftdel")!=0 ){ |
| 491 | const char *zDraft = P("name"); |
| 492 | if( sqlite3_strglob("draft[1-9]",zDraft)==0 ){ |
| 493 | db_multi_exec("DELETE FROM config WHERE name GLOB '%q-*'", zDraft); |
| 494 | } |
| 495 | } |
| 496 | if( skinRename() ) return; |
| 497 | if( skinSave(zCurrent) ) return; |
| 498 | |
| 499 | /* The user pressed one of the "Install" buttons. */ |
| 500 | if( P("load") && (z = P("sn"))!=0 && z[0] ){ |
| 501 | int seen = 0; |
| 502 | |
| 503 | /* Check to see if the current skin is already saved. If it is, there |
| 504 | ** is no need to create a backup */ |
| 505 | zCurrent = getSkin(0); |
| 506 | for(i=0; i<count(aBuiltinSkin); i++){ |
| 507 | if( fossil_strcmp(aBuiltinSkin[i].zSQL, zCurrent)==0 ){ |
| 508 | seen = 1; |
| 509 | break; |
| 510 | } |
| 511 | } |
| 512 | if( !seen ){ |
| 513 | seen = db_exists("SELECT 1 FROM config WHERE name GLOB 'skin:*'" |
| 514 | " AND value=%Q", zCurrent); |
| 515 | if( !seen ){ |
| 516 | db_multi_exec( |
| 517 | "INSERT INTO config(name,value,mtime) VALUES(" |
| 518 | " strftime('skin:Backup On %%Y-%%m-%%d %%H:%%M:%%S')," |
| 519 | " %Q,now())", zCurrent |
| 520 | ); |
| 521 | } |
| 522 | } |
| 523 | seen = 0; |
| 524 | for(i=0; i<count(aBuiltinSkin); i++){ |
| 525 | if( fossil_strcmp(aBuiltinSkin[i].zDesc, z)==0 ){ |
| 526 | seen = 1; |
| 527 | zCurrent = aBuiltinSkin[i].zSQL; |
| 528 | db_multi_exec("%s", zCurrent/*safe-for-%s*/); |
| 529 | break; |
| 530 | } |
| 531 | } |
| 532 | if( !seen ){ |
| 533 | zName = skinVarName(z,0); |
| 534 | zCurrent = db_get(zName, 0); |
| 535 | db_multi_exec("%s", zCurrent/*safe-for-%s*/); |
| 536 | } |
| 537 | } |
| 538 | } |
| 539 | |
| 540 | style_header("Skins"); |
| 541 | if( zErr ){ |
| 542 | @ <p style="color:red">%h(zErr)</p> |
| 543 | } |
| 544 | @ <table border="0"> |
| 545 |