From: <de...@de...> - 2009-09-02 10:29:37
|
Author: SopanShewale Date: 2009-09-02 05:29:25 -0500 (Wed, 02 Sep 2009) New Revision: 18144 Trac url: http://develop.twiki.org/trac/changeset/18144 Added: twiki/branches/TWikiRelease04x03/templates/oopsinvalidtoken.tmpl Modified: twiki/branches/TWikiRelease04x03/lib/MANIFEST twiki/branches/TWikiRelease04x03/lib/TWiki/UI.pm twiki/branches/TWikiRelease04x03/templates/messages.tmpl Log: Item6296: CSRF Fix for TWiki Modified: twiki/branches/TWikiRelease04x03/lib/MANIFEST =================================================================== --- twiki/branches/TWikiRelease04x03/lib/MANIFEST 2009-09-02 10:23:56 UTC (rev 18143) +++ twiki/branches/TWikiRelease04x03/lib/MANIFEST 2009-09-02 10:29:25 UTC (rev 18144) @@ -1047,6 +1047,7 @@ templates/moveattachment.tmpl 0444 templates/oops.tmpl 0444 templates/oopsaccessdenied.tmpl 0444 +templates/oopsinvalidtoken.tmpl 0444 templates/oopsalerts.tmpl 0444 templates/oopsalertsnohtml.tmpl 0444 templates/oopsattention.tmpl 0444 Modified: twiki/branches/TWikiRelease04x03/lib/TWiki/UI.pm =================================================================== --- twiki/branches/TWikiRelease04x03/lib/TWiki/UI.pm 2009-09-02 10:23:56 UTC (rev 18143) +++ twiki/branches/TWikiRelease04x03/lib/TWiki/UI.pm 2009-09-02 10:29:25 UTC (rev 18144) @@ -336,7 +336,8 @@ my ($session, $crypt_token) = @_; my $cgi = $session->{users}->{loginManager}->{_cgisession}; my $id = $cgi->id(); - + my $webName = $session->{webName}; + my $topicName = $session->{topicName}; use CGI::Session; my $cgisess = CGI::Session->new( undef, $id, @@ -358,7 +359,16 @@ } } - if (!$success) { throw Error::Simple("Invalid token or the time is expired");} + if (!$success) { + + throw + TWiki::OopsException( 'invalidtoken', + def => 'invalid_token', + web => $webName, + topic => $topicName, + params => [] ); + } + return $success; } Modified: twiki/branches/TWikiRelease04x03/templates/messages.tmpl =================================================================== --- twiki/branches/TWikiRelease04x03/templates/messages.tmpl 2009-09-02 10:23:56 UTC (rev 18143) +++ twiki/branches/TWikiRelease04x03/templates/messages.tmpl 2009-09-02 10:29:25 UTC (rev 18144) @@ -532,3 +532,11 @@ %MAKETEXT{"Contact [_1] if you have any questions." args="%WIKIWEBMASTER%"}% %TMPL:END% + +%TMPL:DEF{"invalid_token"}% +%MAKETEXT{"Content update is rejected due to an invalid crypt token. Possible reasons: Expired edit session, pressing browser back button after a successful save, or an attempted CSRF (cross-site request forgery). + +A TWiki administrator can enable/disable the crypt token based CSRF protection with the {CryptToken}{Enable} configure setting. " args=""}% + +%TMPL:END% + Added: twiki/branches/TWikiRelease04x03/templates/oopsinvalidtoken.tmpl =================================================================== --- twiki/branches/TWikiRelease04x03/templates/oopsinvalidtoken.tmpl (rev 0) +++ twiki/branches/TWikiRelease04x03/templates/oopsinvalidtoken.tmpl 2009-09-02 10:29:25 UTC (rev 18144) @@ -0,0 +1,11 @@ +%{ This is a default template }%%{ Templates invalid crypt tokens }% +%TMPL:INCLUDE{"oops"}% + +%TMPL:DEF{"titleaction"}%%MAKETEXT{"(Invalid Crypt Token)"}% %TMPL:END% +%TMPL:DEF{"webaction"}% *%MAKETEXT{"Attention"}%* %TMPL:END% +%TMPL:DEF{"heading"}%%MAKETEXT{"Invalid Crypt Token"}%%TMPL:END% +%TMPL:DEF{"topicactionbuttons"}% [[%WEB%.%TOPIC%][%MAKETEXT{"OK"}%]] %TMPL:END% + +%TMPL:DEF{"message"}% +%INSTANTIATE% +%TMPL:END% |