From 49c63b7d795911a10b8045e0b719fd8aeeeec874 Mon Sep 17 00:00:00 2001 From: Alex 'AdUser' Z Date: Sun, 3 Jan 2016 14:21:56 +1000 Subject: [PATCH] + LDV::Comments->add : check security token --- lib/LDV/Comments.pm | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/lib/LDV/Comments.pm b/lib/LDV/Comments.pm index 825a2ea..7ad3881 100644 --- a/lib/LDV/Comments.pm +++ b/lib/LDV/Comments.pm @@ -32,10 +32,18 @@ sub add { my ($self) = @_; eval { + my $sectoken = $self->session('c_sectoken') + or die("missing security token\n"); + my ($ip, $upto) = ($sectoken =~ m{^[0-9a-f\.:]+-\d+$}io) + or die("malformed security token\n"); + ($upto > time()) + or die("expired security token\n"); + ($ip eq $self->tx->remote_address) + or die("remote address mismatch\n"); my $text = $self->req->param('text') or die("empty comment\n"); my $pageid = $self->_gen_pageid() - or die("can't get id\n"); + or die("can't get pageid\n"); my %opts = (binmode => ':bytes'); my $comments = [];