Changeset 13086


Ignore:
Timestamp:
May 11, 2013, 2:54:00 PM (11 years ago)
Author:
Steffen Hoffmann
Message:

VotePlugin: Insert and evaluate tokens to prevent CSFR attacks, refs #7744.

Code has been re-used from Trac core, and I've been lucky to get pre-commit
review of these changes by Ryan J Ollos, who provided the simpler set_vote.

Location:
voteplugin/trunk/tracvote
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • voteplugin/trunk/tracvote/__init__.py

    r13085 r13086  
    361361        old_vote = self.get_vote(req, resource)
    362362
    363         if old_vote == vote:
    364             vote = 0
    365             self.set_vote(req, resource, 0)
     363        # Protect against CSRF attacks: Validate the token like done in Trac
     364        # core for all POST requests with a content-type corresponding
     365        # to form submissions.
     366        msg = ''
     367        if req.args.get('token') != req.form_token:
     368            if self.env.secure_cookies and req.scheme == 'http':
     369                msg = ("Secure cookies are enabled, you must use https for "
     370                       "your requests.")
     371            else:
     372                msg = ("Do you have cookies enabled?")
     373            raise TracError(msg)
    366374        else:
     375            if old_vote == vote:
     376                # Second click on same icon revokes previous vote.
     377                vote = 0
    367378            self.set_vote(req, resource, vote)
    368379
     
    582593                     alt='Up-vote')
    583594        down = tag.img(src=req.href.chrome('vote/' + self.image_map[vote][1]),
    584                      alt='Down-vote')
     595                       alt='Down-vote')
    585596        if not 'action' in req.args and 'VOTE_MODIFY' in req.perm and \
    586597                get_reporter_id(req) != 'anonymous':
    587598            down = tag.a(down, id='downvote',
    588                          href=req.href.vote('down', path),
     599                         href=req.href.vote('down', path,
     600                                            token=req.form_token),
    589601                         title='Down-vote')
    590             up = tag.a(up, id='upvote', href=req.href.vote('up', path),
     602            up = tag.a(up, id='upvote',
     603                       href=req.href.vote('up', path, token=req.form_token),
    591604                       title='Up-vote')
    592605            add_script(req, 'vote/js/tracvote.js')

  • voteplugin/trunk/tracvote/htdocs/js/tracvote.js

    r2970 r13086  
    11$(document).ready(function() {
    22  $('#upvote, #downvote').click(function() {
    3   var button = this;
     3    var button = this;
     4    var href;
     5    if (this.href.indexOf('?') === -1) {
     6      href = this.href + '?js=1';
     7    } else {
     8      href = this.href + '&js=1';
     9    }
    410
    5     $.get(this.href + '?js=1', function(result) {
     11    $.get(href, function(result) {
    612      result = result.split(':');
    713
Note: See TracChangeset for help on using the changeset viewer.