Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
| Comment: | we need to armour the cookie value. Otherwise, it can contain values which aren't legal in a CGI parameter name. |
|---|---|
| Timelines: | family | ancestors | descendants | both | trunk |
| Files: | files | file ages | folders |
| SHA1: |
89bfff7fd9f3af9ae6246f39c248dc75 |
| User & Date: | cpb 2008-10-23 16:24:49 |
Context
|
2008-10-29
| ||
| 18:45 | (#766) handle missing f parameter check-in: 4b004e65d5 user: cpb tags: trunk | |
|
2008-10-23
| ||
| 16:24 | we need to armour the cookie value. Otherwise, it can contain values which aren't legal in a CGI parameter name. check-in: 89bfff7fd9 user: cpb tags: trunk | |
|
2008-10-21
| ||
| 02:05 | add some CSRF (http://en.wikipedia.org/wiki/Cross-site_request_forgery) prevention. It's a little over-engineered in places, but the patch itself is non-intrusive enough that this isn't a huge problem. check-in: 8a6641cd16 user: cpb tags: trunk | |
Changes
Changes to login.c.
381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 |
** Note that the resulting token _field name_ ends up being the value
** of the cookie, not the cookie name. For logged in users, this means
** we're effectively doing a "double submit" cookie test using the field
** name.
*/
static const char* login_csrf_token_name(void){
const char *z;
if( !g.isAnon ) return P(login_cookie_name());
/*
** Well, that's about all we have for anon users. IP address is the
** only other usable option.
*/
return encode64(((z = getenv("REMOTE_ADDR")) ? z : "0.0.0.0"),0);
}
|
| |
381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 |
** Note that the resulting token _field name_ ends up being the value
** of the cookie, not the cookie name. For logged in users, this means
** we're effectively doing a "double submit" cookie test using the field
** name.
*/
static const char* login_csrf_token_name(void){
const char *z;
if( !g.isAnon ) return encode64(P(login_cookie_name()),0);
/*
** Well, that's about all we have for anon users. IP address is the
** only other usable option.
*/
return encode64(((z = getenv("REMOTE_ADDR")) ? z : "0.0.0.0"),0);
}
|