annotate framework/env/request/set_csrf_secret.lua @ 260:f491011ebe16
Work on __init.lua files to support handling multiple requests per connect
| author |
jbe |
| date |
Sun Mar 15 01:20:06 2015 +0100 (2015-03-15) |
| parents |
32ec28229bb5 |
| children |
|
| rev |
line source |
|
jbe/bsw@0
|
1 --[[--
|
|
jbe/bsw@0
|
2 request.set_csrf_secret(
|
|
jbe/bsw@0
|
3 secret -- secret random string
|
|
jbe/bsw@0
|
4 )
|
|
jbe/bsw@0
|
5
|
|
jbe/bsw@0
|
6 Sets a secret string to be used as protection against cross-site request forgery attempts. This string will be transmitted to each action via a hidden form field named "_webmcp_csrf_secret". If this function is called during an action, and there is no CGI GET/POST parameter "_webmcp_csrf_secret" already being set to the given secret, then an error will be thrown to prohibit execution of the action.
|
|
jbe/bsw@0
|
7
|
|
jbe/bsw@0
|
8 --]]--
|
|
jbe/bsw@0
|
9
|
|
jbe/bsw@0
|
10 function request.set_csrf_secret(secret)
|
|
jbe/bsw@0
|
11 if
|
|
jbe/bsw@0
|
12 request.get_action() and
|
|
jbe@223
|
13 request._http_request.post_params["_webmcp_csrf_secret"] ~= secret
|
|
jbe/bsw@0
|
14 then
|
|
jbe/bsw@0
|
15 error("Cross-Site Request Forgery attempt detected");
|
|
jbe/bsw@0
|
16 end
|
|
jbe/bsw@0
|
17 request._csrf_secret = secret
|
|
jbe/bsw@0
|
18 end
|