From 2cc2bcd02ba39b7112ee5428f39bdac95e6fd1f3 Mon Sep 17 00:00:00 2001 From: Ian Jackson Date: Thu, 7 Mar 2013 18:09:41 +0000 Subject: [PATCH] javascript hijacking fix, docs are still wip --- caf.pod | 27 +++++++++++++++++++++++++++ cgi-auth-flexible.pm | 42 +++++++++++++++++++++++++++++++++--------- 2 files changed, 60 insertions(+), 9 deletions(-) diff --git a/caf.pod b/caf.pod index 8e2d193..2603499 100644 --- a/caf.pod +++ b/caf.pod @@ -85,6 +85,33 @@ generate the whole HTML C<< >> element. Do not put the secret value in URLs for C requests. +=head2 NON-PAGE RESOURCES + +Some, but not all, non-page resources (fetched with GET) need to have +the secret hidden parameter in the query parameters in the form url. + +So if your application supports anything except HTML pages you need to +take special measures. (Wholly invariant resources which don't depend +on which user is logged in are an exception.) + +When you generate a url to such a resource you must call +resource_get_needs_secret_hidden to find out whether to include the +hidden form parameter xxx fixme + +You can only when logged in + + call +C when you are processing one of these. You need to +supply a parameter specifying exactly what kind of resource this is: + + + +before you +generate any output + + (other than + + =head2 MUTATING OPERATIONS AND EXTERNAL LINKS INTO YOUR SITE By default CGI::Auth::Flexible does not permit external links into diff --git a/cgi-auth-flexible.pm b/cgi-auth-flexible.pm index 8517f3b..eea4bc0 100644 --- a/cgi-auth-flexible.pm +++ b/cgi-auth-flexible.pm @@ -17,8 +17,6 @@ # You should have received a copy of the GNU Affero General Public License # along with this program. If not, see . -die "need to fix js hijacking"; - use strict; use warnings FATAL => 'all'; @@ -181,8 +179,9 @@ sub gen_plain_login_link ($$) { sub gen_srcdump_link_html ($$$$) { my ($c,$r,$anchor,$specval) = @_; my %params = ($r->{S}{srcdump_param_name} => [ $specval ]); - return ''. - $anchor.""; + return ''.$anchor.""; } sub gen_plain_licence_link_html ($$) { my ($c,$r) = @_; @@ -668,9 +667,9 @@ my @ca = (-name => $r->{S}{cookie_name}, # pages/param-sets are # n normal non-mutating page -# r retrieval of information for JS, non-mutating +# r retrieval of information for JS etc., non-mutating # m mutating page -# u update of information by JS, mutating +# u update of information by JS etc., mutating # i login # o logout # O "you have just logged out" page load @@ -907,6 +906,7 @@ sub _check_divert_core ($) { die unless $parmt eq 'y'; die unless $cookh eq $parmh; } + $r->{ParmT} = $parmt; $r->{AssocSecret} = $cooks; $r->{UserOK} = $cooku; #print STDERR "C-D-C OK\n"; @@ -1036,12 +1036,17 @@ sub get_username ($) { return $r->{UserOK}; } -sub url_with_query_params ($$) { - my ($r, $params) = @_; +sub url_with_query_params ($$;$) { + my ($r, $params, $nonpagetype) = @_; #print STDERR "PARAMS ",Dumper($params); my $uri = URI->new($r->_ch('get_url')); $uri->path($uri->path() . $params->{''}[0]) if $params->{''}; - $uri->query_form(flatten_params($params)); + my @flatparams = flatten_params($params); + if (defined $nonpagetype + && $r->nonpage_get_needs_secret_hidden($nonpagetype)) { + push @flatparams, $r->{S}{assoc_param_name}, $r->secret_hidden_val(); + } + $uri->query_form(@flatparams); return $uri->as_string(); } @@ -1288,6 +1293,25 @@ sub mutate_ok ($) { return $r->_is_post(); } +our %_resource_get_needs_secret_hidden = + (map { $_ => 0 } qw(PAGE FRAME IFRAME SRCDUMP STYLESHEET FAVICON), + map { $_ => 1 } qw(IMAGE SCRIPT AJAX-XML AJAX-JSON AJAX-OTHER)); + +sub resource_get_needs_secret_hidden ($) { + my ($r, $nonpagetype) = @_; + my $ent = $_resource_get_needs_secret_hidden{$nonpagetype}; + die "unsupported nonpage GET type $nonpagetype" unless defined $ent; + return $ent; +} + +sub nonpage_ok ($$) { + my ($r, $nonpagetype) = @_; + $r->_assert_checked(); + return unless $r->resource_get_needs_secret_hidden($nonpagetype); + return if $r->{ParmT}; + die "missing hidden secret parameter on nonpage GET $nonpagetype"; +} + #---------- output ---------- sub secret_cookie_val ($) { -- 2.30.2