Item1568: Make expiry of validation on save an expert configure setting

default is on naturally git-svn-id: http://svn.foswiki.org/branches/Release01x00@4034 0b4bb1d4-4e5a-0410-9cc4-b2b747904278
foswiki · Jun 5, 2009 · e778ffd · e778ffd
1 parent 21c7dbd
commit e778ffd
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 5 deletions.
diff --git a/core/lib/Foswiki.spec b/core/lib/Foswiki.spec
@@ -334,6 +334,19 @@ $Foswiki::cfg{Validation}{ValidForTime} = 3600;
 # key stored for each page rendered. If the number of keys exceeds this
 # number, the oldest keys will be force-expired to bring the number down.
 $Foswiki::cfg{Validation}{MaxKeysPerSession} = 1000;
+# **BOOLEAN EXPERT**
+# Expire a validation key immediately when it is used to validate the saving
+# of a page. This protects against an attacker evesdropping the communication
+# between browser and server and exploiting the keys sent from browser to
+# server. This setting means that if a user edits and saves a page and then go
+# back to the edit screen using the browser back button and saves again, the
+# user will be met by a warning screen against "Suspicious request from
+# browser". Same warning will be displayed if you build an application with
+# pages containing multiple forms and the users tries to submit from these
+# forms more than once. If this warning screen is a problem for your users you
+# can disable this setting which enables reuse of validation keys. This
+# however lowers the level of security against cross-site request forgery.
+$Foswiki::cfg{Validation}{ExpireKeyOnSave} = 1;
 
 #---++ Authentication
 # **SELECTCLASS none,Foswiki::LoginManager::*Login**

diff --git a/core/lib/Foswiki/UI.pm b/core/lib/Foswiki/UI.pm
@@ -521,15 +521,19 @@ sub checkValidationKey {
     # Check the nonce before we do anything else
     my $nonce = $session->{request}->param('validation_key');
     $session->{request}->delete('validation_key');
-    if (!defined($nonce) || !Foswiki::Validation::isValidNonce(
-        $session->getCGISession(), $nonce)) {
+    if ( !defined($nonce)
+        || !Foswiki::Validation::isValidNonce( $session->getCGISession(),
+            $nonce ) )
+    {
         throw Foswiki::ValidationException();
     }
-    if (defined($nonce)) {
+    if ( defined($nonce) ) {
+
         # Expire the nonce. If the user tries to use it again, they will
         # be prompted.
         Foswiki::Validation::expireValidationKeys(
-            $session->getCGISession(), $nonce );
+            $session->getCGISession(),
+            $Foswiki::cfg{Validation}{ExpireKeyOnSave} ? $nonce : undef );
     }
 }
 

diff --git a/core/pub/System/JavascriptFiles/strikeone.js b/core/pub/System/JavascriptFiles/strikeone.js
@@ -3,7 +3,7 @@ function foswikiStrikeOne(form) {
     var secret = readCookie('FOSWIKISTRIKEONE');
     //console.debug("Submit "+form.name);
     var input = form.validation_key;
-    if (input && input.value) {
+    if (input && input.value && input.value.charAt(0) == '?') {
         // combine the validation key with the secret in a way
         // that can't easily be reverse-engineered, but can be
         // duplicated on the server (which also knows the secret)