zydronium/neocities
1
0
Fork 0
mirror of https://github.com/neocities/neocities.git synced 2025-04-24 17:22:35 +02:00
Code Issues Projects Releases Packages Wiki Activity

Merge branch 'csrf_fix'

Browse source
This commit is contained in:
Kyle Drake 2013-06-22 14:30:48 -07:00
commit 458a86c26f
6 changed files with 39 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
app.rb
View file

@ -201,7 +201,7 @@ get '/site_files/text_editor/:filename' do |filename|
end end
post '/site_files/save/:filename' do |filename| post '/site_files/save/:filename' do |filename|
halt 'You are not logged in!' if current_site.nil? require_login_ajax
tmpfile = Tempfile.new 'neocities_saving_file' tmpfile = Tempfile.new 'neocities_saving_file'
@ -235,6 +235,10 @@ get '/privacy' do
slim :'privacy' slim :'privacy'
end end
before do
redirect '/' if request.post? && !csrf_safe?
end
def sites_name_redirect def sites_name_redirect
path = request.path.gsub "/sites/#{params[:name]}", '' path = request.path.gsub "/sites/#{params[:name]}", ''
# path += "/#{params[:file]}" unless params[:file].nil? # path += "/#{params[:file]}" unless params[:file].nil?
@ -246,6 +250,18 @@ def dashboard_if_signed_in
redirect '/dashboard' if signed_in? redirect '/dashboard' if signed_in?
end end
def require_login_ajax
halt 'You are not logged in!' unless signed_in?
end
def csrf_safe?
csrf_token == params[:csrf_token] || csrf_token == request.env['HTTP_X_CSRF_TOKEN']
end
def csrf_token
session[:_csrf_token] ||= SecureRandom.base64(32)
end
def require_login def require_login
redirect '/' unless signed_in? redirect '/' unless signed_in?
end end

1
views/dashboard.slim
View file

@ -66,6 +66,7 @@ javascript:
h4: a href="/site_files/#{current_site.username}.zip" Download Entire Site h4: a href="/site_files/#{current_site.username}.zip" Download Entire Site
form method="POST" action="/site_files/delete" id="deleteFilenameForm" form method="POST" action="/site_files/delete" id="deleteFilenameForm"
input name="csrf_token" type="hidden" value="#{csrf_token}"
input type="hidden" id="deleteFilenameInput" name="filename" input type="hidden" id="deleteFilenameInput" name="filename"
.modal.hide.fade id="deleteConfirmModal" tabindex="-1" role="dialog" aria-labelledby="deleteConfirmModalLabel" aria-hidden="true" .modal.hide.fade id="deleteConfirmModal" tabindex="-1" role="dialog" aria-labelledby="deleteConfirmModalLabel" aria-hidden="true"

13
views/layout.slim
View file

@ -9,6 +9,7 @@ html
link href="/css/styles.css" rel="stylesheet" link href="/css/styles.css" rel="stylesheet"
meta property="og:title" content="NeoCities" meta property="og:title" content="NeoCities"
meta property="og:description" content="NeoCities is the new Geocities. Create your own free home page, and do whatever you want with it." meta property="og:description" content="NeoCities is the new Geocities. Create your own free home page, and do whatever you want with it."
meta name="csrf-token" content="#{csrf_token}"
script src="/js/jquery.min.js" script src="/js/jquery.min.js"
body body
@ -40,6 +41,16 @@ html
script src="/js/bootstrap.min.js" script src="/js/bootstrap.min.js"
javascript:
!function(){
var csrf_token = $('meta[name="csrf-token"]').attr('content');
$(document).ajaxSend(function(ev, jqxhr){
jqxhr.setRequestHeader('X-CSRF-Token', csrf_token);
});
}();
javascript: javascript:
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){ (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o), (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
@ -47,4 +58,4 @@ html
})(window,document,'script','//www.google-analytics.com/analytics.js','ga'); })(window,document,'script','//www.google-analytics.com/analytics.js','ga');
ga('create', 'UA-41925541-1', 'neocities.org'); ga('create', 'UA-41925541-1', 'neocities.org');
ga('send', 'pageview'); ga('send', 'pageview');

7
views/new.slim
View file

@ -14,9 +14,10 @@ javascript:
.row .row
.span8.offset3 .span8.offset3
form method="POST" action="/create" form method="POST" action="/create"
input name="csrf_token" type="hidden" value="#{csrf_token}"
h2 Create a new Home Page h2 Create a new Home Page
.row .row
.span6 .span6
p First, enter a username. This will also be used as your site path.<br><b>Do not forget this, it will be used to sign in to and manage your home page.</b><br>It cannot contain spaces, and can only use the following characters: a-z A-Z 0-9 _ - p First, enter a username. This will also be used as your site path.<br><b>Do not forget this, it will be used to sign in to and manage your home page.</b><br>It cannot contain spaces, and can only use the following characters: a-z A-Z 0-9 _ -
@ -71,4 +72,4 @@ javascript:
.row style="margin-top: 10px" .row style="margin-top: 10px"
.span3.offset1 .span3.offset1
input.btn.btn-success.btn-large type="submit" value="Create Home Page" input.btn.btn-success.btn-large type="submit" value="Create Home Page"

4
views/signin.slim
View file

@ -5,10 +5,12 @@
.row .row
.span12 .span12
form method="POST" action="/signin" form method="POST" action="/signin"
input name="csrf_token" type="hidden" value="#{csrf_token}"
fieldset fieldset
div: input name="username" type="text" placeholder="Your username" div: input name="username" type="text" placeholder="Your username"
div: input name="password" type="password" placeholder="Your password" div: input name="password" type="password" placeholder="Your password"
div: button class="btn btn-large btn-success" href="#" style="margin-top: 10px" Sign in div: button class="btn btn-large btn-success" href="#" style="margin-top: 10px" Sign in
.row .row
.span12 .span12
a href="/new" I don't have an account yet. a href="/new" I don't have an account yet.

3
views/site_files/new.slim
View file

@ -13,6 +13,7 @@
.row .row
.span12.text-center .span12.text-center
form method="POST" action="/site_files/upload" enctype="multipart/form-data" form method="POST" action="/site_files/upload" enctype="multipart/form-data"
input name="csrf_token" type="hidden" value="#{csrf_token}"
h4 Select a file from your computer: h4 Select a file from your computer:
h4: input type="file" name="newfile" h4: input type="file" name="newfile"
p: input.btn.btn-success.btn-large type="submit" value="Upload File" p: input.btn.btn-success.btn-large type="submit" value="Upload File"
@ -31,4 +32,4 @@
h4 If the file already exists, <u><b>it will be overwritten without warning</b></u>. h4 If the file already exists, <u><b>it will be overwritten without warning</b></u>.
h4 It has to be <u>legal to share this content in the United States</u>. h4 It has to be <u>legal to share this content in the United States</u>.
h4 It must fit into your home page space (5MB). h4 It must fit into your home page space (5MB).
h4 The file uploader will automatically scrub any characters not matching: a-z A-Z 0-9 _ - . h4 The file uploader will automatically scrub any characters not matching: a-z A-Z 0-9 _ - .