*All* <FORM> blocks now contain a nonce field, and the use of

a nonce is now enforced whenever method=POST is used.  This prevents
an attacker from simply removing the nonce entirely.

diff --git a/webcit/floors.c b/webcit/floors.c
index da7e0061a4f89ea0bc0386be0e0451bd4556d729..3ea670d8fc1f6730513874ecd565a59103682550 100644 (file)
--- a/webcit/floors.c
+++ b/webcit/floors.c
@@ -118,8 +118,9 @@ void display_floorconfig(char *prepend_html)
        }
 
        wprintf("<TR><TD>&nbsp;</TD>"
-               "<TD><FORM METHOD=\"POST\" action=\"create_floor\">"
-               "<INPUT TYPE=\"text\" NAME=\"floorname\" "
+               "<TD><FORM METHOD=\"POST\" action=\"create_floor\">");
+       wprintf("<input type=\"hidden\" name=\"nonce\" value=\"%ld\">\n", WC->nonce);
+       wprintf("<INPUT TYPE=\"text\" NAME=\"floorname\" "
                "MAXLENGTH=\"250\">\n"
                "<INPUT TYPE=\"SUBMIT\" NAME=\"sc\" "
                "VALUE=\"%s\">"

diff --git a/webcit/notes.c b/webcit/notes.c
index 137480a52528121fd64bb4fbe7a6fe6a9487d229..38cd1b7def8b7f0fb341f755639579601119b384 100644 (file)
--- a/webcit/notes.c
+++ b/webcit/notes.c
@@ -67,9 +67,10 @@ void display_note(long msgnum)
        /** Offer in-place editing. */
        if (strlen(eid) > 0) {
                wprintf("<script type=\"text/javascript\">"
-                       " new Ajax.InPlaceEditor('note%s', 'updatenote?eid=%s', {rows:5,cols:72}); "
+                       "new Ajax.InPlaceEditor('note%s', 'updatenote?nonce=%ld?eid=%s', {rows:5,cols:72});"
                        "</script>\n",
                        eid,
+                       WC->nonce,
                        eid
                );
        }

diff --git a/webcit/roomops.c b/webcit/roomops.c
index 832b622d1e4ae39d8e6d6bbeac4d792329c46e99..a6005641de2a466d38c30fee7adca94a2b242843 100644 (file)
--- a/webcit/roomops.c
+++ b/webcit/roomops.c
@@ -378,8 +378,9 @@ void embed_room_graphic(void) {
 void embed_view_o_matic(void) {
        int i;
 
-       wprintf("<form name=\"viewomatic\" action=\"changeview\">\n"
-               "<label for=\"view_name\">");
+       wprintf("<form name=\"viewomatic\" action=\"changeview\">\n");
+       wprintf("<input type=\"hidden\" name=\"nonce\" value=\"%ld\">\n", WC->nonce);
+       wprintf("<label for=\"view_name\">");
        wprintf(_("View as:"));
        wprintf("</label> "
                "<select name=\"newview\" size=\"1\" "
@@ -416,8 +417,9 @@ void embed_view_o_matic(void) {
  * \brief Display a search box
  */
 void embed_search_o_matic(void) {
-       wprintf("<form name=\"searchomatic\" action=\"do_search\">\n"
-               "<label for=\"search_name\">");
+       wprintf("<form name=\"searchomatic\" action=\"do_search\">\n");
+       wprintf("<input type=\"hidden\" name=\"nonce\" value=\"%ld\">\n", WC->nonce);
+       wprintf("<label for=\"search_name\">");
        wprintf(_("Search: "));
        wprintf("</label> <input "
                "type=\"text\" name=\"query\" size=\"15\" maxlength=\"128\" "

diff --git a/webcit/webcit.c b/webcit/webcit.c
index 3e93030717adea7a3b5338378eb7f49edbd7e7eb..c6677b285e1d0f8d24ac59ca7238fb56dae1fc22 100644 (file)
--- a/webcit/webcit.c
+++ b/webcit/webcit.c
@@ -1209,7 +1209,9 @@ void session_loop(struct httprequest *req)
        }
 
        /* If the client sent a nonce that is incorrect, kill the request. */
-       if (strlen(bstr("nonce")) > 0) {
+       if (!strcasecmp(request_method, "POST")) {
+               lprintf(9, "Comparing supplied nonce %s to session nonce %ld\n", 
+                       bstr("nonce"), WC->nonce);
                if (atoi(bstr("nonce")) != WC->nonce) {
                        lprintf(9, "Ignoring request with mismatched nonce.\n");
                        wprintf("HTTP/1.1 404 Security check failed\r\n");