Permalink
Browse files

Item12849: Item12411: REST validation checks

No need to check validation if it's disabled at the core level

Also document why rest isn't using the common validation code, which
would have avoided this issue. And fix up some other comments.

Conflicts:
	core/lib/Foswiki/UI/Rest.pm

git-svn-id: http://svn.foswiki.org/trunk@17578 0b4bb1d4-4e5a-0410-9cc4-b2b747904278
  • Loading branch information...
GeorgeClark GeorgeClark
GeorgeClark authored and GeorgeClark committed Apr 24, 2014
1 parent 5e55ff9 commit 189800bdc13b8fa980a7f25a107a1ae72146f98b
Showing with 23 additions and 20 deletions.
  1. +23 −20 core/lib/Foswiki/UI/Rest.pm
@@ -232,26 +232,29 @@ sub rest {
}
# Validate the request
if ( $record->{validate} ) {
unless ( $session->inContext('command_line') ) {
my $nonce = $req->param('validation_key');
if (
!defined($nonce)
|| !Foswiki::Validation::isValidNonce(
$session->getCGISession(), $nonce
)
)
{
$res->header( -type => 'text/html', -status => '403' );
$err = "ERROR: (403) Invalid validation code";
$res->print($err);
throw Foswiki::EngineException( 403, $err, $res );
}
# SMELL: Note we don't expire the validation code. If we expired it,
# then subsequent requests using the same code would have to be
# interactively confirmed, which isn't really an option with
# an XHR.
# SMELL: We can't use Foswiki::UI::checkValidationKey.
# The common reoutine expires the key, but if we expired it,
# then subsequent requests using the same code would have to be
# interactively confirmed, which isn't really an option with
# an XHR. Also, the common routine throws a ValidationException
# and we want a simple engine exception here.
if ( $record->{validate}
&& $Foswiki::cfg{Validation}{Method} ne 'none'
&& !$session->inContext('command_line') )
{
my $nonce = $req->param('validation_key');
if (
!defined($nonce)
|| !Foswiki::Validation::isValidNonce(
$session->getCGISession(), $nonce
)
)
{
$res->header( -type => 'text/html', -status => '403' );
$err = "ERROR: (403) Invalid validation code";
$res->print($err);
throw Foswiki::EngineException( 403, $err, $res );
}
}

0 comments on commit 189800b

Please sign in to comment.