webmcp
view framework/env/request/set_csrf_secret.lua @ 11:d76a8857ba62
Added ui.partial and other functions, which allow partial content replacement using XMLHttpRequests; Image support for ui.link
Also includes following changes:
- Fix for rocketcgi library to accept POST data content-types, which contain additional charset information.
- Support arrays passed as params to encode.url (only for keys ending with "[]")
- Version information changed to "1.0.7"
Documentation for added functions is not yet complete.
Also includes following changes:
- Fix for rocketcgi library to accept POST data content-types, which contain additional charset information.
- Support arrays passed as params to encode.url (only for keys ending with "[]")
- Version information changed to "1.0.7"
Documentation for added functions is not yet complete.
| author | jbe/bsw |
|---|---|
| date | Fri Feb 12 18:40:22 2010 +0100 (2010-02-12) |
| parents | 9fdfb27f8e67 |
| children | 32ec28229bb5 |
line source
1 --[[--
2 request.set_csrf_secret(
3 secret -- secret random string
4 )
6 Sets a secret string to be used as protection against cross-site request forgery attempts. This string will be transmitted to each action via a hidden form field named "_webmcp_csrf_secret". If this function is called during an action, and there is no CGI GET/POST parameter "_webmcp_csrf_secret" already being set to the given secret, then an error will be thrown to prohibit execution of the action.
8 --]]--
10 function request.set_csrf_secret(secret)
11 if
12 request.get_action() and
13 cgi.params._webmcp_csrf_secret ~= secret
14 then
15 error("Cross-Site Request Forgery attempt detected");
16 end
17 request._csrf_secret = secret
18 end