From cd67bed21386964219681a3c523a16d1ab747d23 Mon Sep 17 00:00:00 2001
From: Colin Kuskie <colink@perldreamer.com>
Date: Tue, 14 Jul 2009 15:52:55 +0000
Subject: [PATCH] Add a form to the admin console for CSRF protected actions.

---
 .../packages-7.7.15/admin_console2.wgpkg      | Bin 0 -> 2065 bytes
 lib/WebGUI/AdminConsole.pm                    |  33 ++++++++++++++++--
 2 files changed, 31 insertions(+), 2 deletions(-)
 create mode 100644 docs/upgrades/packages-7.7.15/admin_console2.wgpkg

diff --git a/docs/upgrades/packages-7.7.15/admin_console2.wgpkg b/docs/upgrades/packages-7.7.15/admin_console2.wgpkg
new file mode 100644
index 0000000000000000000000000000000000000000..61e30fcd250054240138ff695520b2b1cb08cdab
GIT binary patch
literal 2065
zcmV+s2=4bEiwFP!00000|Ls|Aa}zfZ&gcG$t2<L5)7o(y+r*^qn3t5ykWM-Yq=i66
z_Q|%$`E(=632BG_-qlJv>3nw%1w#3NKlnu}t@eHQIX5?M|FyNX)$eyVHuPt22S3|8
z@EPT=t&Mhjd%M@~wL9INji}w;+U{>eaOC!1OR0ze(Iz}$=|%m0OG$;SCu`;4h05XQ
znyp_G38iia?;Z2K`Bw7uGYJYDd)Dt2{%`koI@>G$-|4iw8xdIZ_FuQ<|K{zB{yA>=
z=Q~KkhN6osA&Q<8rO0HypsA9LXb`=6{S(rq;)2X*xReQ=QK1;cjmSoGN{CcX-ep`U
z8jp~aE|UbgX!1l*xF&vhtywiXjhp~ksE~gnTaFVZ=QQ@jlwO^(H0D=$YRePoJ0-|d
zO5zhTlSgE70jD(MJ)O(ZT+rz+XN@;c^e%aq#0!=_;;G~bZG}IY6DjXKIBP`eI-_tv
z0oxX=!HS>>EJ$^oP!NeKSZWRT<V3JcMN&*Yi2d6#_qXJd7%pdx;a<yp9eTy&b;>iz
z$_6ZG`~`G9OTU1&{3@m5ITY9f<Gvs+mLfqd(O>5i<GpQfC?X|Q_Sn%w1!0W!%fGe#
zUM7zOS6q8}HISHm%Ho)&xE>st3BJq@;wLdvh7?@wk_HKT`s(vbA|jOZArV6`UCb_{
z38aLCIJpuegNy-xTLOz=71k0qA&T+zTrrhUh%gK{pv@_p&DEga$=*S9!m%?IT;mTm
z@t|hgf(vWeUvY6kAph2~(wj!Gsgj#D|M@DXP|Yy0jx#c`8lR~%_2Uoi-qr(D!wTvY
zN;uD=&=h(B6?Qw=G@6hUV#Kb(dflxfZyBqqz8nq^R}s7wA-smLX^$;tHl00<fx1A<
z-7)4Ors8Mx&LHI}#gd_Y2EOvgtTP%BNmMlfDoBeA_r?NhiMGbg;^o0*nCs*2pz}Fu
z*usr$iqt*xD>r4W!ESVuyQ7xFAx)Pqth8H9Xb1K7kg(Kj%JU%%6i>E#;Z4ZJ#hl`^
zSwhcw8u-+E^at=0PbZK{7hrR<cNE-z_n!8$HzP7@^0b+dF-=PTa0;VQbA?t#nNB~a
zEYs<Y!g#TaDv%U%Ifib%JTH2=Wd9&1j?D=$n5#^oC#p7rPu!&LO*rLZp*t_tg%0h6
z*2PRN35E39^ou-KY;STHxT?-U`E9k*?Q^cIbb;ZDDPr>_x`g2#O0XUyP#qtCp>baL
zT{Y$_>?j*%^_ul|39R7rJ}euh4EJTVsAe9*p*GJIOPIP|la_@YPMZohj$!grTrx$Q
zuAt_r7SO6)`3Cd!1T*qMsNI`qe8$oe!TB=(%$3XY)AUi}$XpOh{lI29r%C22nhO%W
zW)w65pIf3>eXej+ZNhk*-o4{PJ3oB~Ymx6bmGh}wkR)m0nHihnbZYv^uQzoh(_KuL
zwUUD+%GL_ot!{NrTQ8WGJ=oj4xh>kcW#>N3Emtg7^8tPZ!7+>rO)=zL+c_&Y>E2n;
zs;Zow=ukKS?G9;75=M-cLA$Rs{=#l<I@7y}tULl(U3=YJSNsaP8h35Nx00lV#&(nK
zUEJPm_eul1<F&>uZ77Iqp-za5LhKU7bV>zy6hCbUv6LxH>PKc=ziR>sx>ebcN-U`%
z(*%aQDS>xe)?keJDL+|gDeDhGvOr*1NCkOdqa?rq>6{9to{MB(@Wm0##HpF?17wN8
z^gCG?q;N{dzdb(~3`QDl3<f6_E_;@MH>m~44f6mcc(;#K{B8uhkLDzuRY745p$~b?
zrp%(*_V!M{+v(ol>3J3wn7m-rfa1O<p{Eg)pc5kN1;0UFu<UoP-~t0YRzVMw8t;&C
zVw4Zy5TdPP_O~H)?|1J9Tmiu^5wL1dBlu;A;Ps4xxwuZQj0nJhxTD74gTd32!)Iml
zGx>~b@Nb?g6rMOR`It`0GO_rrC@-~6z&m$$`@6f{{&o-rf?hH`7d&<kC#qZluoC)T
z?tOm)JTf%TB-|4Uye42T=ltp*-G@oa*e$Sh3ZW-8eDVe>`H`j*ah<87imM$qHTNTr
zpqlH!SR>TJJn!*oF#LEZbrU)b*!x4a*_tw4%{IW2)hu#Ey2`~Ct`LnD6bfgZ9O4)Z
zYFS}>#ECU1OlFkM3y(#ewVX#@TPS~#ha_GbHxpHL){m^}wbeW)gdlURRQZ5pj%sWf
zS^MNeWH@NnTB6#<IFi<$F~g?`#1d%nsIU^Mcye&w1w{xK1NDoO+9%+|x?ptoA~yW=
ziz`5(^9_u>79gy`K(uzrnn9p`1OznETt;_+imL(tpI}`f!c5Hg=yL;j2%oBzEa0!o
zs448Q21K<&=4-TC1IpIwkfW5aEEND&rMQJ1)#W8XSgz9KIUUee(N_iTsz6+YXv=lT
zv&<qb?|Mu5fWmJPmN^O`oa3Xw_{DVnDu5N#MjMX9)fx~s5j)ifNW<GG*!LBosX&_#
zMN)xwUj|17GFD-zKpt;x7m**?Y2ER>v93PWEp5=97mM?M#ZIlwz3*Q=dOSKAz1nR3
z?;xtR`TF&6vy~$$qm-X+6`9%pT~7bv&$4WMx;%OD^T}x08OI0l%aPy7<ngtHiF9@R
z1)PEZ6jmV(oV?vY-)MVg_zz-XB!`*2v)k?M2IvTo1YkNVUOGM&^FLqyv3z&%c7D1~
v_K%L2F9PxMG2P0i|M7hP-TTk+@9H-m-z@OW0^cm~^;+OxbVCAP044wc%#Z`#

literal 0
HcmV?d00001

diff --git a/lib/WebGUI/AdminConsole.pm b/lib/WebGUI/AdminConsole.pm
index baca52f9c..5fdb373a3 100644
--- a/lib/WebGUI/AdminConsole.pm
+++ b/lib/WebGUI/AdminConsole.pm
@@ -303,8 +303,8 @@ sub render {
 	}
 
     $var{"backtosite.url"} = $self->session->url->getBackToSiteURL();
-    $var{"formHeader"} = WebGUI::Form::formHeader($self->session)
-                       . WebGUI::Form::hidden($self->session, { name=>'func', value=>'' });
+    my $formId = $self->getSubmenuFormId;
+    $var{"formHeader"} = WebGUI::Form::formHeader($self->session, { action => $self->{_formUrl}, extras => qq|id='$formId'|, });
     $var{"formFooter"} = WebGUI::Form::formFooter($self->session);
     my $template
         = WebGUI::Asset::Template->new(
@@ -321,6 +321,23 @@ sub render {
 
 #-------------------------------------------------------------------
 
+=head2 setFormUrl ( $url )
+
+Sets the action for the form that is used to submit CSRF requests.
+
+=head3 $url
+
+The URL for the form to submit to.  
+
+=cut
+
+sub setFormUrl {
+	my $self = shift;
+	$self->{_formUrl} = shift;
+}
+
+#-------------------------------------------------------------------
+
 =head2 setHelp ( id [,namespace] )
 
 Sets the _helpUrl to the urlized page.
@@ -360,6 +377,18 @@ sub getHelp {
 
 #-------------------------------------------------------------------
 
+=head2 getSubmenuFormId ( )
+
+Returns the id of the form used to to CSRF submits.
+
+=cut
+
+sub getSubmenuFormId {
+	return 'submenuForm';
+}
+
+#-------------------------------------------------------------------
+
 =head2 session ( )
 
 Returns a reference to the current session.