Nearly all <FORM> blocks now contain a hidden input

[citadel.git] / webcit / webcit.c

diff --git a/webcit/webcit.c b/webcit/webcit.c
index 36c4fe8f7c19027c2c7a8d418c694ef629c6801e..3e93030717adea7a3b5338378eb7f49edbd7e7eb 100644 (file)
--- a/webcit/webcit.c
+++ b/webcit/webcit.c
@@ -1200,14 +1200,26 @@ void session_loop(struct httprequest *req)
                else 
                {
                        lprintf(9, "Suspicious request. Ignoring.");
-                       wprintf("HTTP/1.1 404 Not found. Don't try to Trick me DUDE!\r\n");
+                       wprintf("HTTP/1.1 404 Security check failed\r\n");
                        wprintf("Content-Type: text/plain\r\n");
                        wprintf("\r\n");
-                       wprintf("Not found. Don't play games on me!\r\n");
+                       wprintf("Security check failed.\r\n");
                }
                goto SKIP_ALL_THIS_CRAP;        /* Don't try to connect */
        }
 
+       /* If the client sent a nonce that is incorrect, kill the request. */
+       if (strlen(bstr("nonce")) > 0) {
+               if (atoi(bstr("nonce")) != WC->nonce) {
+                       lprintf(9, "Ignoring request with mismatched nonce.\n");
+                       wprintf("HTTP/1.1 404 Security check failed\r\n");
+                       wprintf("Content-Type: text/plain\r\n");
+                       wprintf("\r\n");
+                       wprintf("Security check failed.\r\n");
+                       goto SKIP_ALL_THIS_CRAP;
+               }
+       }
+
        /**
         * If we're not connected to a Citadel server, try to hook up the
         * connection now.