Fix CSRF issues

GET routes are not protected against CSRF. This commit changes the needed URLs to
POST and replace simple links with forms.

Thanks @fdb-hiroshima for noticing it!
This commit is contained in:
Bat
2018-09-19 18:13:07 +01:00
parent eb24ba1774
commit d8ca1d70b7
12 changed files with 76 additions and 32 deletions
+2 -2
View File
@@ -156,7 +156,7 @@ fn admin_instances_paginated(admin: Admin, conn: DbConn, page: Page) -> Template
}))
}
#[get("/admin/instances/<id>/block")]
#[post("/admin/instances/<id>/block")]
fn toggle_block(_admin: Admin, conn: DbConn, id: i32) -> Redirect {
if let Some(inst) = Instance::get(&*conn, id) {
inst.toggle_block(&*conn);
@@ -183,7 +183,7 @@ fn admin_users_paginated(admin: Admin, conn: DbConn, page: Page) -> Template {
}))
}
#[get("/admin/users/<id>/ban")]
#[post("/admin/users/<id>/ban")]
fn ban(_admin: Admin, conn: DbConn, id: i32) -> Redirect {
User::get(&*conn, id).map(|u| u.delete(&*conn));
Redirect::to(uri!(admin_users))
+2 -2
View File
@@ -97,14 +97,14 @@ fn details(id: i32, user: User, conn: DbConn) -> Template {
}))
}
#[get("/medias/<id>/delete")]
#[post("/medias/<id>/delete")]
fn delete(id: i32, _user: User, conn: DbConn) -> Redirect {
let media = Media::get(&*conn, id).expect("Media to delete not found");
media.delete(&*conn);
Redirect::to(uri!(list))
}
#[get("/medias/<id>/avatar")]
#[post("/medias/<id>/avatar")]
fn set_avatar(id: i32, user: User, conn: DbConn) -> Redirect {
let media = Media::get(&*conn, id).expect("Media to delete not found");
user.set_avatar(&*conn, media.id);
+1 -1
View File
@@ -338,7 +338,7 @@ fn create(blog_name: String, data: LenientForm<NewPostForm>, user: User, conn: D
}
}
#[get("/~/<blog_name>/<slug>/delete")]
#[post("/~/<blog_name>/<slug>/delete")]
fn delete(blog_name: String, slug: String, conn: DbConn, user: User, worker: State<Pool<ThunkWorker<()>>>) -> Redirect {
let post = Blog::find_by_fqn(&*conn, blog_name.clone())
.and_then(|blog| Post::find_by_slug(&*conn, slug.clone(), blog.id));
+3 -3
View File
@@ -118,7 +118,7 @@ fn dashboard_auth() -> Flash<Redirect> {
)
}
#[get("/@/<name>/follow")]
#[post("/@/<name>/follow")]
fn follow(name: String, conn: DbConn, user: User, worker: Worker) -> Redirect {
let target = User::find_by_fqn(&*conn, name.clone()).unwrap();
if let Some(follow) = follows::Follow::find(&*conn, user.id, target.id) {
@@ -138,7 +138,7 @@ fn follow(name: String, conn: DbConn, user: User, worker: Worker) -> Redirect {
Redirect::to(uri!(details: name = name))
}
#[get("/@/<name>/follow", rank = 2)]
#[post("/@/<name>/follow", rank = 2)]
fn follow_auth(name: String) -> Flash<Redirect> {
utils::requires_login(
"You need to be logged in order to follow someone",
@@ -225,7 +225,7 @@ fn update(_name: String, conn: DbConn, user: User, data: LenientForm<UpdateUserF
Redirect::to(uri!(me))
}
#[get("/@/<name>/delete")]
#[post("/@/<name>/delete")]
fn delete(name: String, conn: DbConn, user: User, mut cookies: Cookies) -> Redirect {
let account = User::find_by_fqn(&*conn, name.clone()).unwrap();
if user.id == account.id {