diff options
| author | Michael Hamann <michael@content-space.de> | 2011-05-25 12:15:04 +0200 |
|---|---|---|
| committer | Michael Hamann <michael@content-space.de> | 2011-05-25 12:15:04 +0200 |
| commit | f7b6e27ea2558ddfc97547178408841c5d51c5b6 (patch) | |
| tree | 415974b93772d3a61a6125ba73fd4a6548a2f49f | |
| parent | 5db163967c4a81c7ff8f76c0d157663a00c71e5f (diff) | |
| download | rpg-f7b6e27ea2558ddfc97547178408841c5d51c5b6.tar.gz rpg-f7b6e27ea2558ddfc97547178408841c5d51c5b6.tar.bz2 | |
Remove the security token from the ajax draft/lock calls again
The security token here doesn't improve the security as the other
requests that allow you to do the same thing aren't protected and I
don't see why locking or draft creation should be subject of XSRF
attacks.
| -rw-r--r-- | lib/exe/ajax.php | 2 | ||||
| -rw-r--r-- | lib/scripts/edit.js | 1 | ||||
| -rw-r--r-- | lib/scripts/locktimer.js | 1 |
3 files changed, 0 insertions, 4 deletions
diff --git a/lib/exe/ajax.php b/lib/exe/ajax.php index b2463ed3f..1056a05f8 100644 --- a/lib/exe/ajax.php +++ b/lib/exe/ajax.php @@ -128,7 +128,6 @@ function ajax_lock(){ $ID = cleanID($_POST['id']); if(empty($ID)) return; - if (!checkSecurityToken()) return; $INFO = pageinfo(); @@ -169,7 +168,6 @@ function ajax_lock(){ function ajax_draftdel(){ $id = cleanID($_REQUEST['id']); if(empty($id)) return; - if (!checkSecurityToken()) return; $client = $_SERVER['REMOTE_USER']; if(!$client) $client = clientIP(true); diff --git a/lib/scripts/edit.js b/lib/scripts/edit.js index 31afcc126..a96a346dc 100644 --- a/lib/scripts/edit.js +++ b/lib/scripts/edit.js @@ -275,7 +275,6 @@ function deleteDraft() { if(dwform){ var params = 'call=draftdel'; params += '&id='+encodeURIComponent(dwform.elements.id.value); - params += '§ok='+encodeURIComponent(dwform.elements.sectok.value); var sackobj = new sack(DOKU_BASE + 'lib/exe/ajax.php'); // this needs to be synchronous and GET to not be aborted upon page unload diff --git a/lib/scripts/locktimer.js b/lib/scripts/locktimer.js index 5335e228f..0db7d2b15 100644 --- a/lib/scripts/locktimer.js +++ b/lib/scripts/locktimer.js @@ -73,7 +73,6 @@ var locktimer = { if(now.getTime() - locktimer.lasttime.getTime() > 30*1000){ var params = 'call=lock&id='+encodeURIComponent(locktimer.pageid); var dwform = $('dw__editform'); - params += '§ok='+encodeURIComponent(dwform.elements.sectok.value); if(locktimer.draft && dwform.elements.wikitext){ params += '&prefix='+encodeURIComponent(dwform.elements.prefix.value); params += '&wikitext='+encodeURIComponent(dwform.elements.wikitext.value); |