webmcp
view framework/env/request/set_csrf_secret.lua @ 2:72860d232f32
Version 1.0.2
Fixed bug with explicit garbage collection (requests > 256kB caused an error)
Views prefixed with an underscore can't be called externally
ui.paginate now displays the last page, if the selected page number is too high.
Fixed bug with explicit garbage collection (requests > 256kB caused an error)
Views prefixed with an underscore can't be called externally
ui.paginate now displays the last page, if the selected page number is too high.
| author | jbe/bsw |
|---|---|
| date | Thu Dec 10 12:00:00 2009 +0100 (2009-12-10) |
| parents | 9fdfb27f8e67 |
| children | 32ec28229bb5 |
line source
1 --[[--
2 request.set_csrf_secret(
3 secret -- secret random string
4 )
6 Sets a secret string to be used as protection against cross-site request forgery attempts. This string will be transmitted to each action via a hidden form field named "_webmcp_csrf_secret". If this function is called during an action, and there is no CGI GET/POST parameter "_webmcp_csrf_secret" already being set to the given secret, then an error will be thrown to prohibit execution of the action.
8 --]]--
10 function request.set_csrf_secret(secret)
11 if
12 request.get_action() and
13 cgi.params._webmcp_csrf_secret ~= secret
14 then
15 error("Cross-Site Request Forgery attempt detected");
16 end
17 request._csrf_secret = secret
18 end