| commit | 69b98efa35d48d794394df938741fdfc342cfb84 | |
| author | Lukas Fleischer <archlinux@cryptocrack.de> | |
| Tue, 27 Aug 2013 00:18:59 +0000 (27 02:18 +0200) | ||
| committer | Lukas Fleischer <archlinux@cryptocrack.de> | |
| Tue, 27 Aug 2013 00:27:19 +0000 (27 02:27 +0200) | ||
| tree | 34a032d8d80c9fabb666f775e3d7549dc58584bb | treesnapshot (tar.gz zip) |
| parent | 3bc951e3d87eaf692a7e47cf16a28d838c7cb2bd | commitdiff |
Re-add CRSF tokens to most package actions
We fixed all known CRSF vulnerabilities in commit 2c93f0a (Implement
token system to fix CSRF vulnerabilities, 2012-06-23). c349cb2 (Add
virtual path support for package actions, 2012-07-17) partly reverted
this by injecting a valid CRSF token when virtual paths are in use.
This patch allows for keeping the virtual path feature, while
reintroducing POST forms and CRSF tokens. Actions like package flagging,
votes and notifications are no longer prone to CRSF (see FS#35437 for
details).
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
We fixed all known CRSF vulnerabilities in commit 2c93f0a (Implement
token system to fix CSRF vulnerabilities, 2012-06-23). c349cb2 (Add
virtual path support for package actions, 2012-07-17) partly reverted
this by injecting a valid CRSF token when virtual paths are in use.
This patch allows for keeping the virtual path feature, while
reintroducing POST forms and CRSF tokens. Actions like package flagging,
votes and notifications are no longer prone to CRSF (see FS#35437 for
details).
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
| web/html/index.php | diffblobblamehistory | |
| web/template/pkg_details.php | diffblobblamehistory |