From c27d4e6b509a655d81e36469bb881afc287596e8 Mon Sep 17 00:00:00 2001
From: Yorhel <git@yorhel.nl>
Date: Fri, 29 Aug 2014 09:43:00 +0200
Subject: Strengthen formcode for non-logged-in visitors + CSRF protect login
 form

formcode is strengthened by including the IP (-prefix) into the hash,
ensuring that the code can't be obtained by someone on a different
network.

I also removed the login form of every page. Felt kinda pointless.
---
 lib/VNDB/Handler/Users.pm | 1 +
 1 file changed, 1 insertion(+)

(limited to 'lib/VNDB/Handler/Users.pm')

diff --git a/lib/VNDB/Handler/Users.pm b/lib/VNDB/Handler/Users.pm
index 5738d964..eb7e03ab 100644
--- a/lib/VNDB/Handler/Users.pm
+++ b/lib/VNDB/Handler/Users.pm
@@ -142,6 +142,7 @@ sub login {
 
   my $frm;
   if($self->reqMethod eq 'POST') {
+    return if !$self->authCheckCode;
     $frm = $self->formValidate(
       { post => 'usrname', required => 1, minlength => 2, maxlength => 15 },
       { post => 'usrpass', required => 1, minlength => 4, maxlength => 64, template => 'asciiprint' },
-- 
cgit v1.2.3