From 407e65b998d62ef65046facba0d66a5dbbcb2509 Mon Sep 17 00:00:00 2001
From: Andreas Gohr <andi@splitbrain.org>
Date: Sat, 15 Oct 2011 10:40:31 +0200
Subject: Treat a whitespace-only page as empty and delete it FS#2283

---
 inc/common.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'inc/common.php')

diff --git a/inc/common.php b/inc/common.php
index ec7f9bece..8b92ebcbc 100644
--- a/inc/common.php
+++ b/inc/common.php
@@ -980,7 +980,7 @@ function saveWikiText($id,$text,$summary,$minor=false){
 
     $file = wikiFN($id);
     $old = @filemtime($file); // from page
-    $wasRemoved = empty($text);
+    $wasRemoved = (trim($text) == ''); // check for empty or whitespace only
     $wasCreated = !@file_exists($file);
     $wasReverted = ($REV==true);
     $newRev = false;
-- 
cgit v1.2.3


From 85fef7e2945dc208c20d655d280aac102658747a Mon Sep 17 00:00:00 2001
From: Andreas Gohr <andi@splitbrain.org>
Date: Sat, 15 Oct 2011 18:41:09 +0200
Subject: allow page unlocking based on session IDs FS#2262

---
 inc/common.php | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

(limited to 'inc/common.php')

diff --git a/inc/common.php b/inc/common.php
index 8b92ebcbc..39af439f8 100644
--- a/inc/common.php
+++ b/inc/common.php
@@ -714,8 +714,8 @@ function checklock($id){
     }
 
     //my own lock
-    $ip = io_readFile($lock);
-    if( ($ip == clientIP()) || ($ip == $_SERVER['REMOTE_USER']) ){
+    list($ip,$session) = explode("\n",io_readFile($lock));
+    if($ip == $_SERVER['REMOTE_USER'] || $ip == clientIP() || $session == session_id()){
         return false;
     }
 
@@ -738,7 +738,7 @@ function lock($id){
     if($_SERVER['REMOTE_USER']){
         io_saveFile($lock,$_SERVER['REMOTE_USER']);
     }else{
-        io_saveFile($lock,clientIP());
+        io_saveFile($lock,clientIP()."\n".session_id());
     }
 }
 
@@ -751,8 +751,8 @@ function lock($id){
 function unlock($id){
     $lock = wikiLockFN($id);
     if(@file_exists($lock)){
-        $ip = io_readFile($lock);
-        if( ($ip == clientIP()) || ($ip == $_SERVER['REMOTE_USER']) ){
+        list($ip,$session) = explode("\n",io_readFile($lock));
+        if($ip == $_SERVER['REMOTE_USER'] || $ip == clientIP() || $session == session_id()){
             @unlink($lock);
             return true;
         }
-- 
cgit v1.2.3


From 8071beaa75257a6e763bf8b2d6dd586fe0935d6b Mon Sep 17 00:00:00 2001
From: Andreas Gohr <andi@splitbrain.org>
Date: Sat, 15 Oct 2011 20:53:56 +0200
Subject: bind security token to username

This makes the security token more robust agains session fixation
attacks. A CSRF warning will no longer abort a page save but lead to the
preview mode to avoid information loss when a user logs in during
editing (eg in another tab).
---
 inc/common.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'inc/common.php')

diff --git a/inc/common.php b/inc/common.php
index 39af439f8..0c769c50d 100644
--- a/inc/common.php
+++ b/inc/common.php
@@ -56,7 +56,7 @@ function stripctl($string){
  * @return  string
  */
 function getSecurityToken(){
-    return md5(auth_cookiesalt().session_id());
+    return md5(auth_cookiesalt().session_id().$_SERVER['REMOTE_USER']);
 }
 
 /**
-- 
cgit v1.2.3