summaryrefslogtreecommitdiff
path: root/lib/VNDB/Handler/ULists.pm
diff options
context:
space:
mode:
authorYorhel <git@yorhel.nl>2010-11-06 16:46:01 +0100
committerYorhel <git@yorhel.nl>2010-11-06 16:46:01 +0100
commite625403d6108b3f95361ece3c4311dae88747107 (patch)
tree0f456df20316562333d4ae76ce1a02b703279747 /lib/VNDB/Handler/ULists.pm
parent09307455ced2b60ea2abb161fc59f8efdafefdfa (diff)
Fixed cross-site request forgery vulnerabilities
Diffstat (limited to 'lib/VNDB/Handler/ULists.pm')
-rw-r--r--lib/VNDB/Handler/ULists.pm17
1 files changed, 12 insertions, 5 deletions
diff --git a/lib/VNDB/Handler/ULists.pm b/lib/VNDB/Handler/ULists.pm
index 5abebf37..a610a14a 100644
--- a/lib/VNDB/Handler/ULists.pm
+++ b/lib/VNDB/Handler/ULists.pm
@@ -23,6 +23,7 @@ sub vnvote {
my $uid = $self->authInfo->{id};
return $self->htmlDenied() if !$uid;
+ return if !$self->authCheckCode;
my $f = $self->formValidate(
{ name => 'v', enum => [ -1, 1..10 ] }
);
@@ -41,6 +42,7 @@ sub vnwish {
my $uid = $self->authInfo->{id};
return $self->htmlDenied() if !$uid;
+ return if !$self->authCheckCode;
my $f = $self->formValidate(
{ name => 's', enum => [ -1, @{$self->{wishlist_status}} ] }
);
@@ -68,6 +70,7 @@ sub rlist {
my $uid = $self->authInfo->{id};
return $self->htmlDenied() if !$uid;
+ return if !$self->authCheckCode;
my $f = $self->formValidate(
{ name => 'e', required => 1, enum => [ 'del', map("r$_", @{$self->{rlst_rstat}}), map("v$_", @{$self->{rlst_vstat}}) ] },
);
@@ -110,6 +113,7 @@ sub wishlist {
return 404 if $f->{_err};
if($own && $self->reqMethod eq 'POST') {
+ return if !$self->authCheckCode;
my $frm = $self->formValidate(
{ name => 'sel', required => 0, default => 0, multi => 1, template => 'int' },
{ name => 'batchedit', required => 1, enum => [ -1, @{$self->{wishlist_status}} ] },
@@ -146,8 +150,10 @@ sub wishlist {
end;
end;
- form action => "/u$uid/wish?f=$f->{f};o=$f->{o};s=$f->{s};p=$f->{p}", method => 'post'
- if $own;
+ if($own) {
+ my $code = $self->authGetCode("/u$uid/wish");
+ form action => "/u$uid/wish?formcode=$code;f=$f->{f};o=$f->{o};s=$f->{s};p=$f->{p}", method => 'post';
+ }
$self->htmlBrowse(
class => 'wishlist',
@@ -210,6 +216,7 @@ sub vnlist {
return 404 if $f->{_err};
if($own && $self->reqMethod eq 'POST') {
+ return if !$self->authCheckCode;
my $frm = $self->formValidate(
{ name => 'sel', required => 0, default => 0, multi => 1, template => 'int' },
{ name => 'batchedit', required => 1, enum => [ 'del', map("r$_", @{$self->{rlst_rstat}}), map("v$_", @{$self->{rlst_vstat}}) ] },
@@ -266,14 +273,14 @@ sub vnlist {
end;
end;
- _vnlist_browse($self, $own, $list, $np, $f, $url);
+ _vnlist_browse($self, $own, $list, $np, $f, $url, $uid);
$self->htmlFooter;
}
sub _vnlist_browse {
- my($self, $own, $list, $np, $f, $url) = @_;
+ my($self, $own, $list, $np, $f, $url, $uid) = @_;
- form action => $url->(), method => 'post'
+ form action => $url->().';formcode='.$self->authGetCode("/u$uid/list"), method => 'post'
if $own;
$self->htmlBrowse(