webmcp
annotate framework/env/request/set_csrf_secret.lua @ 2:72860d232f32
Version 1.0.2
Fixed bug with explicit garbage collection (requests > 256kB caused an error)
Views prefixed with an underscore can't be called externally
ui.paginate now displays the last page, if the selected page number is too high.
Fixed bug with explicit garbage collection (requests > 256kB caused an error)
Views prefixed with an underscore can't be called externally
ui.paginate now displays the last page, if the selected page number is too high.
| author | jbe/bsw |
|---|---|
| date | Thu Dec 10 12:00:00 2009 +0100 (2009-12-10) |
| parents | 9fdfb27f8e67 |
| children | 32ec28229bb5 |
| rev | line source |
|---|---|
| jbe/bsw@0 | 1 --[[-- |
| jbe/bsw@0 | 2 request.set_csrf_secret( |
| jbe/bsw@0 | 3 secret -- secret random string |
| jbe/bsw@0 | 4 ) |
| jbe/bsw@0 | 5 |
| jbe/bsw@0 | 6 Sets a secret string to be used as protection against cross-site request forgery attempts. This string will be transmitted to each action via a hidden form field named "_webmcp_csrf_secret". If this function is called during an action, and there is no CGI GET/POST parameter "_webmcp_csrf_secret" already being set to the given secret, then an error will be thrown to prohibit execution of the action. |
| jbe/bsw@0 | 7 |
| jbe/bsw@0 | 8 --]]-- |
| jbe/bsw@0 | 9 |
| jbe/bsw@0 | 10 function request.set_csrf_secret(secret) |
| jbe/bsw@0 | 11 if |
| jbe/bsw@0 | 12 request.get_action() and |
| jbe/bsw@0 | 13 cgi.params._webmcp_csrf_secret ~= secret |
| jbe/bsw@0 | 14 then |
| jbe/bsw@0 | 15 error("Cross-Site Request Forgery attempt detected"); |
| jbe/bsw@0 | 16 end |
| jbe/bsw@0 | 17 request._csrf_secret = secret |
| jbe/bsw@0 | 18 end |