From: Ian Jackson <ian.jackson@eu.citrix.com>
Date: Wed, 28 Oct 2015 16:27:07 +0000 (+0000)
Subject: check_nonpage: Handle ParmT ne 'y' correctly
X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ian/git?p=cgi-auth-flexible.git;a=commitdiff_plain;h=4b63ec666089ffd49b6b83c787a3a9a980bcf6a9;ds=inline

check_nonpage: Handle ParmT ne 'y' correctly

If check_nonpage needs to check authenticity of the submission, only a
valid hidden form parameter ought to be permitted.

This seems to have simply a logic error where (in 2cc2bcd0 "javascript
hijacking fix") I thought ParmT was a perl booleanish; but, of course,
it isn't.

Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
---

diff --git a/cgi-auth-flexible.pm b/cgi-auth-flexible.pm
index ad4ea5a..e52441b 100644
--- a/cgi-auth-flexible.pm
+++ b/cgi-auth-flexible.pm
@@ -1360,7 +1360,7 @@ sub check_nonpage ($$) {
     my ($r, $reqtype) = @_;
     $r->_assert_checked();
     return unless $r->resource_get_needs_secret_hidden($reqtype);
-    return if $r->{ParmT};
+    return if $r->{ParmT} eq 'y';
     die "missing hidden secret parameter on nonpage request $reqtype";
 }