chiark
/
gitweb
/
~ian
/
cgi-auth-flexible.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
check_nonpage: Handle ParmT ne 'y' correctly
[cgi-auth-flexible.git]
/
cgi-auth-flexible.pm
diff --git
a/cgi-auth-flexible.pm
b/cgi-auth-flexible.pm
index a2975199a14a65cbbf5266759e9de6b92bf62cc9..e52441b802b1647dff1f927fd7018ee7aa959827 100644
(file)
--- a/
cgi-auth-flexible.pm
+++ b/
cgi-auth-flexible.pm
@@
-701,7
+701,6
@@
sub construct_cookie ($$$) {
# any - POST nrmuoi bug or attack, fail
# any - GET rmuoi bug or attack, fail
# any any GET muoi bug or attack, fail
# any - POST nrmuoi bug or attack, fail
# any - GET rmuoi bug or attack, fail
# any any GET muoi bug or attack, fail
- # any t any nrmu bug or attack, fail
#
# - - GET O "just logged out" page
# (any other) O bug or attack, fail
#
# - - GET O "just logged out" page
# (any other) O bug or attack, fail
@@
-746,38
+745,38
@@
sub construct_cookie ($$$) {
# revoke y2
# treat as y1 n POST
#
# revoke y2
# treat as y1 n POST
#
- # y n
GET n intra-site link from stale page,
+ # y n
t
GET n intra-site link from stale page,
# treat as cross-site link, show data
#
# treat as cross-site link, show data
#
- # y n
POST n m intra-site form submission from stale page
+ # y n
t
POST n m intra-site form submission from stale page
# show "session interrupted"
# with link to main data page
#
# show "session interrupted"
# with link to main data page
#
- # y n
GET r intra-site request from stale page
+ # y n
t
GET r intra-site request from stale page
# fail
#
# fail
#
- # y n
POST r u intra-site request from stale page
+ # y n
t
POST r u intra-site request from stale page
# fail
#
# fail
#
- # -
/n
y2 GET nr intra-site link from cleared session
+ # -
n
y2 GET nr intra-site link from cleared session
# do not revoke y2 as not RESTful
# treat as -/n n GET
#
# do not revoke y2 as not RESTful
# treat as -/n n GET
#
- # -
/n
y2 POST nrmu request from cleared session
+ # -
n
y2 POST nrmu request from cleared session
# revoke y2
# treat as -/n n POST
#
# revoke y2
# treat as -/n n POST
#
- # -
/n -/n
GET n cross-site link but user not logged in
+ # -
nt -nt
GET n cross-site link but user not logged in
# show login form with redirect to orig params
# generate fresh cookie
#
# show login form with redirect to orig params
# generate fresh cookie
#
- # -
/n n
GET rmu user not logged in
+ # -
nt nt
GET rmu user not logged in
# fail
#
# fail
#
- # -
/n n
POST n m user not logged in
+ # -
nt nt
POST n m user not logged in
# show login form
#
# show login form
#
- # -
/n n
POST r u user not logged in
+ # -
nt nt
POST r u user not logged in
# fail
sub _check_divert_core ($) {
# fail
sub _check_divert_core ($) {
@@
-873,7
+872,6
@@
sub _check_divert_core ($) {
if ($cookt eq 't') {
$cookt = '';
}
if ($cookt eq 't') {
$cookt = '';
}
- die if $parmt eq 't';
if ($cookt eq 'y' && $parmt eq 'y' && $cookh ne $parmh) {
$r->_db_revoke($parmh) if $meth eq 'POST';
if ($cookt eq 'y' && $parmt eq 'y' && $cookh ne $parmh) {
$r->_db_revoke($parmh) if $meth eq 'POST';
@@
-882,7
+880,7
@@
sub _check_divert_core ($) {
if ($cookt ne 'y') {
die unless !$cookt || $cookt eq 'n';
if ($cookt ne 'y') {
die unless !$cookt || $cookt eq 'n';
- die unless !$parmt || $parmt eq 'n' || $parmt eq 'y';
+ die unless !$parmt || $parmt eq '
t' || $parmt eq '
n' || $parmt eq 'y';
my $news = $r->_fresh_secret();
if ($meth eq 'GET') {
return ({ Kind => 'LOGIN-INCOMINGLINK',
my $news = $r->_fresh_secret();
if ($meth eq 'GET') {
return ({ Kind => 'LOGIN-INCOMINGLINK',
@@
-1362,7
+1360,7
@@
sub check_nonpage ($$) {
my ($r, $reqtype) = @_;
$r->_assert_checked();
return unless $r->resource_get_needs_secret_hidden($reqtype);
my ($r, $reqtype) = @_;
$r->_assert_checked();
return unless $r->resource_get_needs_secret_hidden($reqtype);
- return if $r->{ParmT};
+ return if $r->{ParmT}
eq 'y'
;
die "missing hidden secret parameter on nonpage request $reqtype";
}
die "missing hidden secret parameter on nonpage request $reqtype";
}