[geeklog-cvs] geeklog: Added a security token on the authentication form to re...

[geeklog-cvs at lists.geeklog.net]

changeset 7545:b4d55a55dc27
url:  http://project.geeklog.net/cgi-bin/hgwebdir.cgi/geeklog/rev/b4d55a55dc27
user: Dirk Haun <dirk at haun-online.de>
date: Fri Dec 25 15:31:02 2009 +0100
description:
Added a security token on the authentication form to resend requests after a token expired

diffstat:

 public_html/users.php   |  4 ++--
 system/lib-security.php |  2 ++
 2 files changed, 4 insertions(+), 2 deletions(-)

diffs (27 lines):

diff -r 578a3e9b510b -r b4d55a55dc27 public_html/users.php
--- a/public_html/users.php	Wed Dec 23 09:01:52 2009 +0100
+++ b/public_html/users.php	Fri Dec 25 15:31:02 2009 +0100
@@ -876,9 +876,9 @@
         $getdata = urldecode($_POST['token_getdata']);
     }
 
-    if (!empty($method) && !empty($returnurl) &&
+    if (SECINT_checkToken() && (!empty($method) && !empty($returnurl) &&
             ((($method == 'POST') && !empty($postdata)) ||
-             (($method == 'GET') && !empty($getdata)))) {
+             (($method == 'GET') && !empty($getdata))))) {
 
         $req = new HTTP_Request($returnurl);
         if ($method == 'POST') {
diff -r 578a3e9b510b -r b4d55a55dc27 system/lib-security.php
--- a/system/lib-security.php	Wed Dec 23 09:01:52 2009 +0100
+++ b/system/lib-security.php	Fri Dec 25 15:31:02 2009 +0100
@@ -1292,6 +1292,8 @@
               . urlencode($getdata) . '"' . XHTML . '>' . LB;
     $services .= '<input type="hidden" name="token_requestmethod" value="'
               . $method . '"' . XHTML . '>' . LB;
+    $services .= '<input type="hidden" name="' . CSRF_TOKEN . '" value="'
+              . SEC_createToken() . '"'. XHTML . '>' . LB;
     $authform->set_var('services', $services);
     $authform->set_var('openid_login', ''); // TBD