ikiwiki/templates
Joey Hess 72b5ef2c5f Fix CSRF attacks against the preferences and edit forms. Closes: #475445
The fix involved embedding the session id in the forms, and not allowing the
forms to be submitted if the embedded id does not match the session id.

In the case of the preferences form, if the session id is not embedded,
then the CGI parameters are cleared. This avoids a secondary attack where the
link to the preferences form prefills password or other fields, and
the user hits "submit" without noticing these prefilled values.

In the case of the editpage form, the anonok plugin can allow anyone to edit,
and so I chose not to guard against CSRF attacks against users who are not
logged in. Otherwise, it also embeds the session id and checks it.

For page editing, I assume that the user will notice if content or commit
message is changed because of CGI parameters, and won't blndly hit save page.
So I didn't block those CGI paramters. (It's even possible to use those CGI
parameters, for good, not for evil, I guess..)

The only other CSRF attack I can think of in ikiwiki involves the poll plugin.
It's certianly possible to set up a link that causes the user to unknowingly
vote in a poll. However, the poll plugin is not intended to be used for things
that people would want to attack, since anyone can after all edit the poll page
and fill in any values they like. So this "attack" is ignorable.
2008-04-10 16:35:30 -04:00
..
aggregatepost.tmpl add ! prefix to some directives in templates, and to the recentchanges page 2008-02-05 16:18:29 -05:00
archivepage.tmpl oh, this is confusing, it needs escaping in <title>, but not when it's used 2007-03-21 06:22:06 +00:00
atomitem.tmpl * inline: Add copyright/license info on a per-post basis to atom 2008-01-09 01:05:54 -05:00
atompage.tmpl include license/copyright/author info if available 2008-01-09 02:32:03 -05:00
blogpost.tmpl * Add postformtext parameter to inline. 2007-04-12 04:13:55 +00:00
change.tmpl * Add recentchangesdiff plugin that adds diffs to the recentchanges feeds. 2008-03-03 15:53:34 -05:00
editpage.tmpl Fix CSRF attacks against the preferences and edit forms. Closes: #475445 2008-04-10 16:35:30 -04:00
estseek.conf * Work with hyperestraier 1.4.9. 2006-11-13 20:07:55 +00:00
feedlink.tmpl * Atom feed support based on a patch by Clint Adams. 2006-10-08 23:57:37 +00:00
inlinepage.tmpl basic styling for license and copyright 2007-09-15 00:38:30 +00:00
misc.tmpl * The search plugin needs to override <base> to point to the directory 2008-02-14 15:20:49 -05:00
page.tmpl * Page templates can now use CTIME to show when the page was created. 2008-02-09 23:05:48 -05:00
passwordmail.tmpl - finish user registration and password request email 2006-03-12 20:10:42 +00:00
recentchanges.tmpl rename template 2008-01-29 13:39:12 -05:00
rssitem.tmpl * Apply a patch from NicolasLimare adding modification date tags to rss and 2007-08-11 23:15:08 +00:00
rsspage.tmpl * Apply a patch from NicolasLimare adding modification date tags to rss and 2007-08-11 23:15:08 +00:00
searchform.tmpl * Patch from James Westby to add a template for the search form. 2006-08-26 21:57:59 +00:00
titlepage.tmpl oh, this is confusing, it needs escaping in <title>, but not when it's used 2007-03-21 06:22:06 +00:00