From 0596c6d9b3e9dda73beaa239e6349478667d267d Mon Sep 17 00:00:00 2001
From: Art Cancro <ajc@citadel.org>
Date: Thu, 5 Jul 2007 19:53:58 +0000
Subject: [PATCH] *All* <FORM> blocks now contain a nonce field, and the use of
 a nonce is now enforced whenever method=POST is used.  This prevents an
 attacker from simply removing the nonce entirely.

---
 webcit/floors.c  |  5 +++--
 webcit/notes.c   |  3 ++-
 webcit/roomops.c | 10 ++++++----
 webcit/webcit.c  |  4 +++-
 4 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/webcit/floors.c b/webcit/floors.c
index da7e0061a..3ea670d8f 100644
--- a/webcit/floors.c
+++ b/webcit/floors.c
@@ -118,8 +118,9 @@ void display_floorconfig(char *prepend_html)
 	}
 
 	wprintf("<TR><TD>&nbsp;</TD>"
-		"<TD><FORM METHOD=\"POST\" action=\"create_floor\">"
-		"<INPUT TYPE=\"text\" NAME=\"floorname\" "
+		"<TD><FORM METHOD=\"POST\" action=\"create_floor\">");
+	wprintf("<input type=\"hidden\" name=\"nonce\" value=\"%ld\">\n", WC->nonce);
+	wprintf("<INPUT TYPE=\"text\" NAME=\"floorname\" "
 		"MAXLENGTH=\"250\">\n"
 		"<INPUT TYPE=\"SUBMIT\" NAME=\"sc\" "
 		"VALUE=\"%s\">"
diff --git a/webcit/notes.c b/webcit/notes.c
index 137480a52..38cd1b7de 100644
--- a/webcit/notes.c
+++ b/webcit/notes.c
@@ -67,9 +67,10 @@ void display_note(long msgnum)
 	/** Offer in-place editing. */
 	if (strlen(eid) > 0) {
 		wprintf("<script type=\"text/javascript\">"
-			" new Ajax.InPlaceEditor('note%s', 'updatenote?eid=%s', {rows:5,cols:72}); "
+			"new Ajax.InPlaceEditor('note%s', 'updatenote?nonce=%ld?eid=%s', {rows:5,cols:72});"
 			"</script>\n",
 			eid,
+			WC->nonce,
 			eid
 		);
 	}
diff --git a/webcit/roomops.c b/webcit/roomops.c
index 832b622d1..a6005641d 100644
--- a/webcit/roomops.c
+++ b/webcit/roomops.c
@@ -378,8 +378,9 @@ void embed_room_graphic(void) {
 void embed_view_o_matic(void) {
 	int i;
 
-	wprintf("<form name=\"viewomatic\" action=\"changeview\">\n"
-		"<label for=\"view_name\">");
+	wprintf("<form name=\"viewomatic\" action=\"changeview\">\n");
+	wprintf("<input type=\"hidden\" name=\"nonce\" value=\"%ld\">\n", WC->nonce);
+	wprintf("<label for=\"view_name\">");
 	wprintf(_("View as:"));
 	wprintf("</label> "
 		"<select name=\"newview\" size=\"1\" "
@@ -416,8 +417,9 @@ void embed_view_o_matic(void) {
  * \brief Display a search box
  */
 void embed_search_o_matic(void) {
-	wprintf("<form name=\"searchomatic\" action=\"do_search\">\n"
-		"<label for=\"search_name\">");
+	wprintf("<form name=\"searchomatic\" action=\"do_search\">\n");
+	wprintf("<input type=\"hidden\" name=\"nonce\" value=\"%ld\">\n", WC->nonce);
+	wprintf("<label for=\"search_name\">");
 	wprintf(_("Search: "));
 	wprintf("</label> <input "
 		"type=\"text\" name=\"query\" size=\"15\" maxlength=\"128\" "
diff --git a/webcit/webcit.c b/webcit/webcit.c
index 3e9303071..c6677b285 100644
--- a/webcit/webcit.c
+++ b/webcit/webcit.c
@@ -1209,7 +1209,9 @@ void session_loop(struct httprequest *req)
 	}
 
 	/* If the client sent a nonce that is incorrect, kill the request. */
-	if (strlen(bstr("nonce")) > 0) {
+	if (!strcasecmp(request_method, "POST")) {
+		lprintf(9, "Comparing supplied nonce %s to session nonce %ld\n", 
+			bstr("nonce"), WC->nonce);
 		if (atoi(bstr("nonce")) != WC->nonce) {
 			lprintf(9, "Ignoring request with mismatched nonce.\n");
 			wprintf("HTTP/1.1 404 Security check failed\r\n");
-- 
2.30.2