oqapi/webgui
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Provide a framework for CSRF protection, with tests.

Browse source 
Add CSRF protection to Asset editSave, AssetManager, VersionTags and Group operations.
This commit is contained in:
Colin Kuskie 2009-07-06 16:58:57 +00:00
parent 4664ab7035
commit 5e4db3adb4
19 changed files with 362 additions and 62 deletions
Download patch file Download diff file Expand all files Collapse all files

19
lib/WebGUI/Session/Form.pm
View file

@ -174,5 +174,24 @@ sub process {
});
}
#-------------------------------------------------------------------
=head2 validToken ( )
Checks that the current form has a method=POST, and that it has a CSRF token matching
the one in this user's current session.
=cut
sub validToken {
my ($self) = @_;
my $session = $self->session;
$session->log->warn('method: '. $session->request->method);
$session->log->warn('token: '. $session->scratch->get('webguiCsrfToken'));
return 0 unless $session->request->method eq 'POST';
return 0 unless $self->param('webguiCsrfToken') eq $session->scratch->get('webguiCsrfToken');
return 1;
}
1;