From bedf5c0b955473d8ad02eaf628e8d209f534f2b6 Mon Sep 17 00:00:00 2001 From: Art Cancro Date: Thu, 5 Jul 2007 19:36:32 +0000 Subject: [PATCH] Nearly all
blocks now contain a hidden input tag containing a session nonce. If the nonce does not match, the request is cancelled. --- webcit/auth.c | 3 ++- webcit/calendar.c | 1 + webcit/context_loop.c | 1 + webcit/downloads.c | 3 ++- webcit/event.c | 1 + webcit/floors.c | 2 ++ webcit/graphics.c | 1 + webcit/iconbar.c | 1 + webcit/inetconf.c | 5 +++-- webcit/listsub.c | 6 +++--- webcit/mainmenu.c | 1 + webcit/messages.c | 2 ++ webcit/netconf.c | 2 ++ webcit/paging.c | 2 ++ webcit/preferences.c | 1 + webcit/roomops.c | 21 +++++++++++++++------ webcit/setup_wizard.c | 1 + webcit/sieve.c | 5 ++++- webcit/siteconfig.c | 1 + webcit/sysmsgs.c | 1 + webcit/useredit.c | 3 +++ webcit/vcard_edit.c | 1 + webcit/webcit.c | 16 ++++++++++++++-- webcit/webcit.h | 1 + webcit/who.c | 1 + 25 files changed, 67 insertions(+), 16 deletions(-) diff --git a/webcit/auth.c b/webcit/auth.c index 01f53a1c4..748028f85 100644 --- a/webcit/auth.c +++ b/webcit/auth.c @@ -403,7 +403,7 @@ void validate(void) wprintf(_("Select access level for this user:")); wprintf("
\n"); for (a = 0; a <= 6; ++a) { - wprintf("nonce); urlescputs(user); wprintf("&axlevel=%d\">%s   \n", a, axdefs[a]); @@ -488,6 +488,7 @@ void display_changepw(void) } wprintf("\n"); + wprintf("\n", WC->nonce); wprintf("
" "" diff --git a/webcit/calendar.c b/webcit/calendar.c index 73c3647c9..489d58a1f 100644 --- a/webcit/calendar.c +++ b/webcit/calendar.c @@ -517,6 +517,7 @@ void display_edit_individual_task(icalcomponent *supplied_vtodo, long msgnum) { "
", _("Change name")); @@ -108,6 +109,7 @@ void display_floorconfig(char *prepend_html) "\n", floornum, floorname); + wprintf("\n", WC->nonce); wprintf("" "", _("Change CSS")); diff --git a/webcit/graphics.c b/webcit/graphics.c index 90333ecd3..daeff6d34 100644 --- a/webcit/graphics.c +++ b/webcit/graphics.c @@ -38,6 +38,7 @@ void display_graphics_upload(char *description, char *check_cmd, char *uplurl) wprintf("\n", uplurl); + wprintf("\n", WC->nonce); wprintf("\n"); diff --git a/webcit/iconbar.c b/webcit/iconbar.c index abfa0c172..a69aab160 100644 --- a/webcit/iconbar.c +++ b/webcit/iconbar.c @@ -494,6 +494,7 @@ void display_customize_iconbar(void) { "
"); wprintf("\n"); + wprintf("\n", WC->nonce); wprintf("\n", msgnum); diff --git a/webcit/context_loop.c b/webcit/context_loop.c index a4759ce99..cb1a907f6 100644 --- a/webcit/context_loop.c +++ b/webcit/context_loop.c @@ -468,6 +468,7 @@ void context_loop(int sock) strcpy(TheSession->httpauth_pass, httpauth_pass); pthread_mutex_init(&TheSession->SessionMutex, NULL); pthread_mutex_lock(&SessionListMutex); + TheSession->nonce = rand(); TheSession->next = SessionList; SessionList = TheSession; pthread_mutex_unlock(&SessionListMutex); diff --git a/webcit/downloads.c b/webcit/downloads.c index d3ffe37bb..d29e7fc7e 100644 --- a/webcit/downloads.c +++ b/webcit/downloads.c @@ -1,5 +1,5 @@ /* - * $Id: downloads.c 4849 2007-01-08 20:05:56Z ajc $ + * $Id$ */ #include "webcit.h" @@ -64,6 +64,7 @@ void display_room_directory(void) "name=\"upload_file_form\"" ">\n" ); + wprintf("\n", WC->nonce); wprintf(_("Upload a file:")); wprintf("  \n"); diff --git a/webcit/event.c b/webcit/event.c index 3ea0806ff..37d6af565 100644 --- a/webcit/event.c +++ b/webcit/event.c @@ -123,6 +123,7 @@ void display_edit_individual_event(icalcomponent *supplied_vevent, long msgnum) *************************************************************/ wprintf("\n"); + wprintf("\n", WC->nonce); wprintf("\n", msgnum); diff --git a/webcit/floors.c b/webcit/floors.c index bc92b4455..da7e0061a 100644 --- a/webcit/floors.c +++ b/webcit/floors.c @@ -95,6 +95,7 @@ void display_floorconfig(char *prepend_html) "\n", floornum, floorname); + wprintf("\n", WC->nonce); wprintf("" "
\n"); } } - wprintf("\n" - "
"); wprintf("\n"); + wprintf("\n", WC->nonce); wprintf("
"); wprintf(_("Display icons as:")); diff --git a/webcit/inetconf.c b/webcit/inetconf.c index 70c707191..c7066cda9 100644 --- a/webcit/inetconf.c +++ b/webcit/inetconf.c @@ -130,8 +130,9 @@ void display_inetconf(void) wprintf("
" + wprintf("\n"); + wprintf("\n", WC->nonce); + wprintf("
" "" "", ic_keyword[which]); wprintf("" diff --git a/webcit/listsub.c b/webcit/listsub.c index cadf60b48..2000c3c18 100644 --- a/webcit/listsub.c +++ b/webcit/listsub.c @@ -168,9 +168,9 @@ void do_listsub(void) * Any other (invalid) command causes the form to be displayed */ else { -FORM: wprintf("\n" - "\n" - ); +FORM: wprintf("\n"); + wprintf("\n", WC->nonce); + wprintf("
\n"); wprintf("
Name of list" "\n", WC->nonce); wprintf(_("Enter command:")); wprintf("

\n"); diff --git a/webcit/messages.c b/webcit/messages.c index 27bccfa61..b4aea13fe 100644 --- a/webcit/messages.c +++ b/webcit/messages.c @@ -2950,6 +2950,7 @@ void display_enter(void) wprintf("\n", bstr("wikipage")); } wprintf("\n", bstr("return_to")); + wprintf("\n", WC->nonce); /** header bar */ @@ -3270,6 +3271,7 @@ void confirm_move_msg(void) wprintf("
\n"); wprintf("\n"); + wprintf("\n", WC->nonce); wprintf("\n", bstr("msgid")); wprintf("\n", WC->nonce); wprintf("
\n"); wprintf("", _("Node name")); wprintf("\n"); @@ -124,6 +125,7 @@ void display_edit_node(void) if (!strcasecmp(node, cnode)) { wprintf("\n"); + wprintf("\n", WC->nonce); wprintf("
%s
\n"); wprintf("
"); wprintf(_("Node name")); diff --git a/webcit/paging.c b/webcit/paging.c index b8b0bb378..0932db026 100644 --- a/webcit/paging.c +++ b/webcit/paging.c @@ -35,6 +35,7 @@ void display_page(void) wprintf("
\n"); wprintf("\n"); + wprintf("\n", WC->nonce); wprintf("
\n"); @@ -483,6 +484,7 @@ void chat_send(void) { WC->chat_sock = i; wprintf("\n"); + wprintf("\n", WC->nonce); wprintf("\n", SIZ-10); wprintf("
"); diff --git a/webcit/preferences.c b/webcit/preferences.c index 48db25832..fac58a6b4 100644 --- a/webcit/preferences.c +++ b/webcit/preferences.c @@ -217,6 +217,7 @@ void display_preferences(void) "\n" "\n"); + wprintf("\n", WC->nonce); /** * Room list view diff --git a/webcit/roomops.c b/webcit/roomops.c index 25943084d..832b622d1 100644 --- a/webcit/roomops.c +++ b/webcit/roomops.c @@ -1176,6 +1176,7 @@ void display_editroom(void) if (!strcmp(tab, "config")) { wprintf("\n"); + wprintf("\n", WC->nonce); wprintf("
  • "); wprintf(_("Name of room: ")); @@ -1429,9 +1430,9 @@ void display_editroom(void) extract_token(node, buf, 0, '|', sizeof node); extract_token(remote_room, buf, 1, '|', sizeof remote_room); if (strlen(node) > 0) { - wprintf("" - "
\n", node); + wprintf(""); + wprintf("\n", WC->nonce); + wprintf("\n", node); wprintf("
%s
%s"); if (strlen(remote_room) > 0) { @@ -1472,9 +1473,9 @@ void display_editroom(void) for (i=0; i 0) { - wprintf("" - "
"); + wprintf(""); + wprintf("\n", WC->nonce); + wprintf("
"); escputs(node); wprintf("" "\n" "\n" "\n"); + wprintf("\n", WC->nonce); wprintf("\n"); wprintf("", _("Add")); wprintf("\n"); @@ -1574,6 +1576,7 @@ void display_editroom(void) wprintf("
\n" "\n" "\n"); + wprintf("\n", WC->nonce); wprintf("\n"); wprintf("", _("Add")); wprintf("
\n"); @@ -1638,6 +1641,7 @@ void display_editroom(void) } wprintf("
\n"); + wprintf("\n", WC->nonce); wprintf("\n"); wprintf("
"); wprintf(_("Message expire policy for this room")); @@ -1987,6 +1991,7 @@ void display_whok(void) wprintf("

"); wprintf("
\n"); + wprintf("\n", WC->nonce); wprintf("\n"); wprintf("\n"); + wprintf("\n", WC->nonce); wprintf(_("Invite:")); wprintf(" "); wprintf("
\n" @@ -2055,6 +2061,7 @@ void display_entroom(void) "
\n"); wprintf("\n"); + wprintf("\n", WC->nonce); wprintf("
  • "); wprintf(_("Name of room: ")); @@ -2277,6 +2284,7 @@ void display_private(char *rname, int req_pass) wprintf("\n

    "); wprintf("\n"); + wprintf("\n", WC->nonce); wprintf("\n" @@ -2360,6 +2368,7 @@ void display_zap(void) "to do?
    \n"), WC->wc_roomname); wprintf("\n"); + wprintf("\n", WC->nonce); wprintf("", _("Zap this room")); wprintf(" "); wprintf("", _("Cancel")); diff --git a/webcit/setup_wizard.c b/webcit/setup_wizard.c index 76c7ed8e2..886046759 100644 --- a/webcit/setup_wizard.c +++ b/webcit/setup_wizard.c @@ -40,6 +40,7 @@ void do_setup_wizard(void) wprintf("
    " "\n" ); + wprintf("\n", WC->nonce); wprintf("
    " "This is where the setup wizard will be placed.
    \n" diff --git a/webcit/sieve.c b/webcit/sieve.c index e4c97d1d8..929faafc5 100644 --- a/webcit/sieve.c +++ b/webcit/sieve.c @@ -1,5 +1,5 @@ /* - * $Id: $ + * $Id$ */ /** * \defgroup Sieve view/edit sieve config @@ -87,6 +87,7 @@ void display_sieve(void) wprintf("\n"); + wprintf("\n", WC->nonce); wprintf(_("When new mail arrives: ")); wprintf("\n", WC->nonce); wprintf(_("Script name: ")); wprintf("
    \n" "" @@ -638,6 +640,7 @@ void display_add_remove_scripts(char *message) wprintf("
    " "\n"); + wprintf("\n", WC->nonce); wprintf("\n", WC->nonce); i = 0; while (serv_getln(buf, sizeof buf), strcmp(buf, "000")) { diff --git a/webcit/sysmsgs.c b/webcit/sysmsgs.c index 86a5e6fed..f4222ccb1 100644 --- a/webcit/sysmsgs.c +++ b/webcit/sysmsgs.c @@ -47,6 +47,7 @@ void display_edit(char *description, char *check_cmd, wprintf("
    "); wprintf("\n", save_cmd); + wprintf("\n", WC->nonce); wprintf("