webmcp
annotate framework/env/request/set_csrf_secret.lua @ 54:89030e955845
Changed partialload_encodeFormData(...) to allow non-string objects implementing .toString()
| author | jbe | 
|---|---|
| date | Tue Sep 06 21:05:11 2011 +0200 (2011-09-06) | 
| parents | 9fdfb27f8e67 | 
| children | 32ec28229bb5 | 
| rev | line source | 
|---|---|
| jbe/bsw@0 | 1 --[[-- | 
| jbe/bsw@0 | 2 request.set_csrf_secret( | 
| jbe/bsw@0 | 3 secret -- secret random string | 
| jbe/bsw@0 | 4 ) | 
| jbe/bsw@0 | 5 | 
| jbe/bsw@0 | 6 Sets a secret string to be used as protection against cross-site request forgery attempts. This string will be transmitted to each action via a hidden form field named "_webmcp_csrf_secret". If this function is called during an action, and there is no CGI GET/POST parameter "_webmcp_csrf_secret" already being set to the given secret, then an error will be thrown to prohibit execution of the action. | 
| jbe/bsw@0 | 7 | 
| jbe/bsw@0 | 8 --]]-- | 
| jbe/bsw@0 | 9 | 
| jbe/bsw@0 | 10 function request.set_csrf_secret(secret) | 
| jbe/bsw@0 | 11 if | 
| jbe/bsw@0 | 12 request.get_action() and | 
| jbe/bsw@0 | 13 cgi.params._webmcp_csrf_secret ~= secret | 
| jbe/bsw@0 | 14 then | 
| jbe/bsw@0 | 15 error("Cross-Site Request Forgery attempt detected"); | 
| jbe/bsw@0 | 16 end | 
| jbe/bsw@0 | 17 request._csrf_secret = secret | 
| jbe/bsw@0 | 18 end |