annotate framework/env/request/set_csrf_secret.lua @ 435:f704f35923e2
Added a (currently unused) pure Lua version of extos.pfilter(...)
 | author | jbe | 
 | date | Sat Jan 16 04:44:16 2016 +0100 (2016-01-16) | 
 | parents | 32ec28229bb5 | 
 | children |  | 
 
 | rev | line source | 
| jbe/bsw@0 | 1 --[[-- | 
| jbe/bsw@0 | 2 request.set_csrf_secret( | 
| jbe/bsw@0 | 3   secret                 -- secret random string | 
| jbe/bsw@0 | 4 ) | 
| jbe/bsw@0 | 5 | 
| jbe/bsw@0 | 6 Sets a secret string to be used as protection against cross-site request forgery attempts. This string will be transmitted to each action via a hidden form field named "_webmcp_csrf_secret". If this function is called during an action, and there is no CGI GET/POST parameter "_webmcp_csrf_secret" already being set to the given secret, then an error will be thrown to prohibit execution of the action. | 
| jbe/bsw@0 | 7 | 
| jbe/bsw@0 | 8 --]]-- | 
| jbe/bsw@0 | 9 | 
| jbe/bsw@0 | 10 function request.set_csrf_secret(secret) | 
| jbe/bsw@0 | 11   if | 
| jbe/bsw@0 | 12     request.get_action() and | 
| jbe@223 | 13     request._http_request.post_params["_webmcp_csrf_secret"] ~= secret | 
| jbe/bsw@0 | 14   then | 
| jbe/bsw@0 | 15     error("Cross-Site Request Forgery attempt detected"); | 
| jbe/bsw@0 | 16   end | 
| jbe/bsw@0 | 17   request._csrf_secret = secret | 
| jbe/bsw@0 | 18 end |