2008-07-06 20:54:38 +02:00
|
|
|
<br />
|
2008-07-02 22:14:18 +02:00
|
|
|
<TMPL_VAR JAVASCRIPT>
|
2006-03-19 20:09:57 +01:00
|
|
|
<TMPL_IF NAME="PAGE_CONFLICT">
|
|
|
|
<p>
|
2006-11-15 21:49:10 +01:00
|
|
|
<b>Your changes conflict with other changes made to the page.</b>
|
2006-03-19 21:34:59 +01:00
|
|
|
</p>
|
|
|
|
<p>
|
2006-03-19 20:09:57 +01:00
|
|
|
Conflict markers have been inserted into the page content. Reconcile the
|
2006-11-15 21:49:10 +01:00
|
|
|
conflict and commit again to save your changes.
|
2006-03-19 20:09:57 +01:00
|
|
|
</p>
|
|
|
|
</TMPL_IF>
|
2007-02-15 03:22:08 +01:00
|
|
|
<TMPL_IF NAME="FAILED_SAVE">
|
|
|
|
<p>
|
|
|
|
<b>Failed to save your changes.</b>
|
|
|
|
</p>
|
|
|
|
<p>
|
|
|
|
Your changes were not able to be saved to disk. The system gave the error:
|
|
|
|
<blockquote>
|
|
|
|
<TMPL_VAR ERROR_MESSAGE>
|
|
|
|
</blockquote>
|
|
|
|
Your changes are preserved below, and you can try again to save them.
|
|
|
|
</p>
|
|
|
|
</TMPL_IF>
|
2007-02-24 01:39:06 +01:00
|
|
|
<TMPL_IF NAME="PAGE_GONE">
|
|
|
|
<p>
|
|
|
|
<b>The page you were editing has disappeared.</b>
|
|
|
|
</p>
|
|
|
|
<p>
|
|
|
|
Perhaps someone else has deleted it or moved it. If you want to recreate
|
|
|
|
this page with your text, click "Save Page" again.
|
|
|
|
</p>
|
|
|
|
</TMPL_IF>
|
2007-03-18 00:57:03 +01:00
|
|
|
<TMPL_IF NAME="CREATION_CONFLICT">
|
|
|
|
<p>
|
|
|
|
<b>While you were creating this page, someone else independently created a page
|
|
|
|
with the same name.</b>
|
|
|
|
</p>
|
|
|
|
<p>
|
|
|
|
The edit box below contains the page's current content, followed by the
|
2007-03-18 00:58:34 +01:00
|
|
|
content you entered previously, to allow you to merge the two
|
2007-03-18 00:57:03 +01:00
|
|
|
together before saving.
|
|
|
|
</p>
|
|
|
|
</TMPL_IF>
|
2006-03-12 17:37:26 +01:00
|
|
|
<TMPL_VAR FORM-START>
|
|
|
|
<TMPL_VAR FIELD-DO>
|
Fix CSRF attacks against the preferences and edit forms. Closes: #475445
The fix involved embedding the session id in the forms, and not allowing the
forms to be submitted if the embedded id does not match the session id.
In the case of the preferences form, if the session id is not embedded,
then the CGI parameters are cleared. This avoids a secondary attack where the
link to the preferences form prefills password or other fields, and
the user hits "submit" without noticing these prefilled values.
In the case of the editpage form, the anonok plugin can allow anyone to edit,
and so I chose not to guard against CSRF attacks against users who are not
logged in. Otherwise, it also embeds the session id and checks it.
For page editing, I assume that the user will notice if content or commit
message is changed because of CGI parameters, and won't blndly hit save page.
So I didn't block those CGI paramters. (It's even possible to use those CGI
parameters, for good, not for evil, I guess..)
The only other CSRF attack I can think of in ikiwiki involves the poll plugin.
It's certianly possible to set up a link that causes the user to unknowingly
vote in a poll. However, the poll plugin is not intended to be used for things
that people would want to attack, since anyone can after all edit the poll page
and fill in any values they like. So this "attack" is ignorable.
2008-04-10 22:35:30 +02:00
|
|
|
<TMPL_VAR FIELD-SID>
|
2006-03-12 17:37:26 +01:00
|
|
|
<TMPL_VAR FIELD-FROM>
|
2006-03-19 21:34:59 +01:00
|
|
|
<TMPL_VAR FIELD-RCSINFO>
|
2007-02-24 01:39:06 +01:00
|
|
|
<TMPL_VAR FIELD-NEWFILE>
|
2006-03-12 17:37:26 +01:00
|
|
|
<TMPL_IF NAME="PAGE_SELECT">
|
2006-05-27 21:04:46 +02:00
|
|
|
Page location: <TMPL_VAR FIELD-PAGE>
|
2006-07-26 23:23:06 +02:00
|
|
|
Page type: <TMPL_VAR FIELD-TYPE>
|
2006-03-12 17:37:26 +01:00
|
|
|
<TMPL_ELSE>
|
2006-05-27 21:04:46 +02:00
|
|
|
<br />
|
2006-03-12 17:37:26 +01:00
|
|
|
<TMPL_VAR FIELD-PAGE>
|
2006-07-26 23:23:06 +02:00
|
|
|
<TMPL_VAR FIELD-TYPE>
|
2006-03-12 17:37:26 +01:00
|
|
|
</TMPL_IF>
|
2006-05-27 21:04:46 +02:00
|
|
|
<TMPL_VAR FIELD-EDITCONTENT><br />
|
2006-03-12 17:37:26 +01:00
|
|
|
<TMPL_IF NAME="CAN_COMMIT">
|
2006-03-29 05:18:21 +02:00
|
|
|
Optional comment about this change:<br />
|
|
|
|
<TMPL_VAR FIELD-COMMENTS><br />
|
2006-03-12 17:37:26 +01:00
|
|
|
</TMPL_IF>
|
2007-08-17 07:34:59 +02:00
|
|
|
<TMPL_VAR FORM-SUBMIT>
|
2006-07-02 19:44:43 +02:00
|
|
|
<TMPL_VAR HELPONFORMATTINGLINK>
|
2008-07-01 03:15:19 +02:00
|
|
|
<TMPL_IF NAME="FIELD-ATTACHMENT">
|
2008-07-21 18:15:55 +02:00
|
|
|
<a class="toggle" href="#attachments">Attachments</a>
|
2008-07-02 21:42:32 +02:00
|
|
|
<div class="<TMPL_VAR ATTACHMENTS-CLASS>" id="attachments">
|
|
|
|
<table>
|
2008-07-02 22:08:48 +02:00
|
|
|
<tr><td colspan="5"><TMPL_VAR FIELD-ATTACHMENT><TMPL_VAR FIELD-UPLOAD></td></tr>
|
2008-07-01 23:19:38 +02:00
|
|
|
<TMPL_LOOP NAME="ATTACHMENT_LIST">
|
|
|
|
<tr><td><TMPL_VAR FIELD-SELECT><TMPL_VAR LINK></td><td><TMPL_VAR SIZE></td><td><TMPL_VAR MTIME></td></tr>
|
|
|
|
</TMPL_LOOP>
|
|
|
|
<TMPL_IF NAME="ATTACHMENT_LIST">
|
2008-07-02 22:08:48 +02:00
|
|
|
<tr><td colspan="2"><TMPL_VAR FIELD-LINK><TMPL_VAR FIELD-DELETE><TMPL_VAR FIELD-RENAME></td></tr>
|
2008-07-01 23:19:38 +02:00
|
|
|
</TMPL_IF>
|
|
|
|
</table>
|
|
|
|
</div>
|
2008-07-01 03:15:19 +02:00
|
|
|
</TMPL_IF>
|
2006-03-12 17:37:26 +01:00
|
|
|
<TMPL_VAR FORM-END>
|
2007-07-16 07:24:31 +02:00
|
|
|
|
2006-03-19 22:31:11 +01:00
|
|
|
<TMPL_IF NAME="PAGE_PREVIEW">
|
2006-07-02 19:44:43 +02:00
|
|
|
<hr />
|
2006-05-26 03:42:00 +02:00
|
|
|
<div class="header">
|
2006-05-26 03:10:58 +02:00
|
|
|
<span>Page preview:</span>
|
2006-03-29 09:24:03 +02:00
|
|
|
</div>
|
2007-07-16 07:24:31 +02:00
|
|
|
<div id="preview">
|
2006-03-16 22:39:45 +01:00
|
|
|
<TMPL_VAR PAGE_PREVIEW>
|
2006-03-29 09:24:03 +02:00
|
|
|
</div>
|
2006-03-16 22:39:45 +01:00
|
|
|
</TMPL_IF>
|