From 8ff761afa24febdb280c672b3b31d6145990f050 Mon Sep 17 00:00:00 2001
From: Joey Hess <joey@kitenet.net>
Date: Fri, 14 May 2010 14:21:45 -0400
Subject: [PATCH] remove, rename: Add guards against XSRF attacks.

---
 IkiWiki/Plugin/remove.pm | 4 ++++
 IkiWiki/Plugin/rename.pm | 4 ++++
 debian/changelog         | 1 +
 3 files changed, 9 insertions(+)

diff --git a/IkiWiki/Plugin/remove.pm b/IkiWiki/Plugin/remove.pm
index a46294e78..d23b2cc10 100644
--- a/IkiWiki/Plugin/remove.pm
+++ b/IkiWiki/Plugin/remove.pm
@@ -107,6 +107,8 @@ sub confirmation_form ($$) {
 		fields => [qw{do page}],
 	);
 	
+	$f->field(name => "sid", type => "hidden", value => $session->id,
+		force => 1);
 	$f->field(name => "do", type => "hidden", value => "remove", force => 1);
 
 	return $f, ["Remove", "Cancel"];
@@ -188,6 +190,8 @@ sub sessioncgi ($$) {
 			postremove($session);
 		}
 		elsif ($form->submitted eq 'Remove' && $form->validate) {
+			IkiWiki::checksessionexpiry($q, $session, $q->param('sid'));
+
 			my @pages=$form->field("page");
 	
 			# Validate removal by checking that the page exists,
diff --git a/IkiWiki/Plugin/rename.pm b/IkiWiki/Plugin/rename.pm
index 537e91317..0da90a538 100644
--- a/IkiWiki/Plugin/rename.pm
+++ b/IkiWiki/Plugin/rename.pm
@@ -131,6 +131,8 @@ sub rename_form ($$$) {
 	);
 	
 	$f->field(name => "do", type => "hidden", value => "rename", force => 1);
+	$f->field(name => "sid", type => "hidden", value => $session->id,
+		force => 1);
 	$f->field(name => "page", type => "hidden", value => $page, force => 1);
 	$f->field(name => "new_name", value => pagetitle($page, 1), size => 60);
 	if (!$q->param("attachment")) {
@@ -286,6 +288,8 @@ sub sessioncgi ($$) {
 			postrename($session);
 		}
 		elsif ($form->submitted eq 'Rename' && $form->validate) {
+			IkiWiki::checksessionexpiry($q, $session, $q->param('sid'));
+
 			# Queue of rename actions to perfom.
 			my @torename;
 
diff --git a/debian/changelog b/debian/changelog
index e6c5e42ae..a09c8e228 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -30,6 +30,7 @@ ikiwiki (3.20100505) UNRELEASED; urgency=low
     (And also negative years.)
   * calendar: Display year in title of month calendar.
   * Use xhtml friendly pubdate setting.
+  * remove, rename: Add guards against XSRF attacks.
 
  -- Joey Hess <joeyh@debian.org>  Wed, 05 May 2010 18:07:29 -0400
 
-- 
2.32.0.93.g670b81a890