}
wprintf("<TR><TD> </TD>"
- "<TD><FORM METHOD=\"POST\" action=\"create_floor\">"
- "<INPUT TYPE=\"text\" NAME=\"floorname\" "
+ "<TD><FORM METHOD=\"POST\" action=\"create_floor\">");
+ wprintf("<input type=\"hidden\" name=\"nonce\" value=\"%ld\">\n", WC->nonce);
+ wprintf("<INPUT TYPE=\"text\" NAME=\"floorname\" "
"MAXLENGTH=\"250\">\n"
"<INPUT TYPE=\"SUBMIT\" NAME=\"sc\" "
"VALUE=\"%s\">"
/** Offer in-place editing. */
if (strlen(eid) > 0) {
wprintf("<script type=\"text/javascript\">"
- " new Ajax.InPlaceEditor('note%s', 'updatenote?eid=%s', {rows:5,cols:72}); "
+ "new Ajax.InPlaceEditor('note%s', 'updatenote?nonce=%ld?eid=%s', {rows:5,cols:72});"
"</script>\n",
eid,
+ WC->nonce,
eid
);
}
void embed_view_o_matic(void) {
int i;
- wprintf("<form name=\"viewomatic\" action=\"changeview\">\n"
- "<label for=\"view_name\">");
+ wprintf("<form name=\"viewomatic\" action=\"changeview\">\n");
+ wprintf("<input type=\"hidden\" name=\"nonce\" value=\"%ld\">\n", WC->nonce);
+ wprintf("<label for=\"view_name\">");
wprintf(_("View as:"));
wprintf("</label> "
"<select name=\"newview\" size=\"1\" "
* \brief Display a search box
*/
void embed_search_o_matic(void) {
- wprintf("<form name=\"searchomatic\" action=\"do_search\">\n"
- "<label for=\"search_name\">");
+ wprintf("<form name=\"searchomatic\" action=\"do_search\">\n");
+ wprintf("<input type=\"hidden\" name=\"nonce\" value=\"%ld\">\n", WC->nonce);
+ wprintf("<label for=\"search_name\">");
wprintf(_("Search: "));
wprintf("</label> <input "
"type=\"text\" name=\"query\" size=\"15\" maxlength=\"128\" "
}
/* If the client sent a nonce that is incorrect, kill the request. */
- if (strlen(bstr("nonce")) > 0) {
+ if (!strcasecmp(request_method, "POST")) {
+ lprintf(9, "Comparing supplied nonce %s to session nonce %ld\n",
+ bstr("nonce"), WC->nonce);
if (atoi(bstr("nonce")) != WC->nonce) {
lprintf(9, "Ignoring request with mismatched nonce.\n");
wprintf("HTTP/1.1 404 Security check failed\r\n");