lsm/Orchard
1
0
Fork 0
mirror of https://github.com/OrchardCMS/Orchard.git synced 2025-10-15 19:54:57 +08:00
Code Issues Actions 4 Packages Projects Releases Wiki Activity

Updated all existing authenticated form POSTs to use (and validate) an anti forgery token

Browse Source 
--HG--
extra : convert_revision : svn%3A5ff7c347-ad56-4c35-b696-ccb81de16e03/trunk%4044471
This commit is contained in:
skewed
2009-12-22 23:32:37 +00:00
parent 35558ee5d5
commit bbab6d0ce5
22 changed files with 22 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/Orchard.Web/Core/Settings/Views/Admin/Index.aspx
View File

@@ -1,7 +1,7 @@
<%@ Page Language="C#" Inherits="System.Web.Mvc.ViewPage<Orchard.Core.Settings.ViewModels.SettingsIndexViewModel>" %>
<%@ Import Namespace="Orchard.Mvc.Html" %>
<h2>Edit Settings</h2>
<%using (Html.BeginForm()) { %>
<h2><%=Html.TitleForPage("Edit Settings")%></h2>
<%using (Html.BeginFormAntiForgeryPost()) { %>
<%= Html.ValidationSummary() %>
<fieldset>
<legend>Global Settings</legend>

2
src/Orchard.Web/Packages/Orchard.CmsPages/Views/Admin/BulkDeleteConfirm.aspx
View File

@@ -5,7 +5,7 @@
<%@ Import Namespace="Orchard.Mvc.Html" %>
<h2>Delete pages</h2>
<p>Are you sure you want to delete the pages?</p>
<% using (Html.BeginForm()) { %>
<% using (Html.BeginFormAntiForgeryPost()) { %>
<%= Html.ValidationSummary() %>
<fieldset>
<input type="hidden" name="<%=Html.NameOf(m => m.Options.BulkAction)%>" value="<%=PageIndexBulkAction.Delete%>" />

2
src/Orchard.Web/Packages/Orchard.CmsPages/Views/Admin/BulkPublishLater.aspx
View File

@@ -3,7 +3,7 @@
<%@ Import Namespace="Orchard.Utility"%>
<%@ Import Namespace="Orchard.CmsPages.Services.Templates"%>
<%@ Import Namespace="Orchard.Mvc.Html" %>
<% using (Html.BeginForm()) { %>
<% using (Html.BeginFormAntiForgeryPost()) { %>
<h2>Publish later</h2>
<p>Enter the scheduled publication date:</p>
<%=Html.ValidationSummary() %>

2
src/Orchard.Web/Packages/Orchard.CmsPages/Views/Admin/ChooseTemplate.aspx
View File

@@ -3,7 +3,7 @@
<%@ Import Namespace="Orchard.Mvc.Html" %>
<h2>Change Template</h2>
<p>Select your layout from one of the templates below.</p>
<% using (Html.BeginForm()) {
<% using (Html.BeginFormAntiForgeryPost()) {
%><%= Html.ValidationSummary() %>
<ul class="templates"><%
foreach (var template in Model.Templates) {

2
src/Orchard.Web/Packages/Orchard.CmsPages/Views/Admin/Create.aspx
View File

@@ -2,7 +2,7 @@
<%@ Import Namespace="Orchard.Mvc.Html" %>
<h2>Add a Page</h2>
<p>Select your layout from one of the templates below.</p>
<% using (Html.BeginForm()) { %>
<% using (Html.BeginFormAntiForgeryPost()) { %>
<%=Html.ValidationSummary() %>
<%=Html.EditorForModel() %>
<% } %>

2
src/Orchard.Web/Packages/Orchard.CmsPages/Views/Admin/Edit.aspx
View File

@@ -5,7 +5,7 @@
<p class="bottomSpacer"><%=_Encoded("about setting up a page") %></p>
<%=Html.ValidationSummary() %>
<div class="sections">
<% using (Html.BeginForm()) { %>
<% using (Html.BeginFormAntiForgeryPost()) { %>
<div class="primary">
<h3><%=_Encoded("Page Content") %></h3>
<%-- todo: (heskew) change the editors to be self-contained (fieldset > editor) --%>

2
src/Orchard.Web/Packages/Orchard.CmsPages/Views/Admin/Index.aspx
View File

@@ -5,7 +5,7 @@
<%-- todo: (heskew) localize --%>
<h2>Manage Pages</h2>
<p>Possible text about setting up a page goes here. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla erat turpis, blandit eget feugiat nec, tempus vel quam. Mauris et neque eget justo suscipit blandit.</p>
<% using (Html.BeginForm()) { %>
<% using (Html.BeginFormAntiForgeryPost()) { %>
<%=Html.ValidationSummary() %>
<fieldset class="actions bulk">
<label for="publishActions">Actions: </label>

2
src/Orchard.Web/Packages/Orchard.Media/Views/Admin/Create.aspx
View File

@@ -10,7 +10,7 @@
new {name = navigation.FolderName, mediaPath = navigation.FolderPath})%> &#62;
<% } %>
Add a Folder</p>
<%using (Html.BeginForm()) { %>
<%using (Html.BeginFormAntiForgeryPost()) { %>
<%= Html.ValidationSummary() %>
<fieldset>
<label for="Name">Folder Name:</label>

2
src/Orchard.Web/Packages/Orchard.Media/Views/Admin/EditMedia.aspx
View File

@@ -13,7 +13,7 @@
<% } %>
Edit Media </p>
<div class="sections">
<%using (Html.BeginForm()) { %>
<%using (Html.BeginFormAntiForgeryPost()) { %>
<%= Html.ValidationSummary() %>
<div class="primary">
<h3>About this media</h3>

2
src/Orchard.Web/Packages/Orchard.Media/Views/Admin/EditProperties.aspx
View File

@@ -11,7 +11,7 @@
<% } %>
Folder Properties</p>
<%using (Html.BeginForm()) { %>
<%using (Html.BeginFormAntiForgeryPost()) { %>
<%= Html.ValidationSummary() %>
<fieldset>
<label for="Name">Folder Name:</label>

2
src/Orchard.Web/Packages/Orchard.Roles/Views/Admin/Create.aspx
View File

@@ -2,7 +2,7 @@
<%@ Import Namespace="Orchard.Roles.ViewModels"%>
<%@ Import Namespace="Orchard.Mvc.Html" %>
<h2>Add Role</h2>
<% using (Html.BeginForm()) { %>
<% using (Html.BeginFormAntiForgeryPost()) { %>
<%=Html.ValidationSummary()%>
<fieldset>
<legend>Information</legend>

2
src/Orchard.Web/Packages/Orchard.Sandbox/Views/Page/Create.aspx
View File

@@ -4,7 +4,7 @@
<%@ Import Namespace="Orchard.Mvc.Html" %>
<h3>
Create Page</h3>
<%using (Html.BeginForm()) { %>
<%using (Html.BeginFormAntiForgeryPost()) { %>
<%=Html.LabelFor(x => x.Name)%><%=Html.EditorFor(x => x.Name)%>
<input type="submit" name="submit" value="Create" />

2
src/Orchard.Web/Packages/Orchard.Sandbox/Views/Page/Edit.aspx
View File

@@ -4,7 +4,7 @@
<%@ Import Namespace="Orchard.Mvc.Html" %>
<h3>
Edit Page</h3>
<%using (Html.BeginForm()) { %>
<%using (Html.BeginFormAntiForgeryPost()) { %>
<%=Html.EditorForItem(Model.Page) %>
<input type="submit" name="submit" value="Save" />
<%} %>

2
src/Orchard.Web/Packages/Orchard.Users/Views/Admin/Create.aspx
View File

@@ -3,7 +3,7 @@
<%@ Import Namespace="Orchard.Security" %>
<%@ Import Namespace="Orchard.Mvc.Html" %>
<h2>Add User</h2>
<%using (Html.BeginForm()) { %>
<%using (Html.BeginFormAntiForgeryPost()) { %>
<%=Html.ValidationSummary() %>
<%=Html.EditorFor(m=>m.UserName, "inputTextLarge") %>
<%=Html.EditorFor(m=>m.Email, "inputTextLarge") %>

2
src/Orchard.Web/Packages/Orchard.Users/Views/Admin/Edit.aspx
View File

@@ -4,7 +4,7 @@
<%@ Import Namespace="Orchard.Mvc.Html" %>
<h2>
Edit User</h2>
<%using (Html.BeginForm()) { %>
<%using (Html.BeginFormAntiForgeryPost()) { %>
<%=Html.ValidationSummary() %>
<%=Html.EditorFor(m=>m.Id) %>
<%=Html.EditorFor(m=>m.UserName, "inputTextLarge") %>

2
src/Orchard.Web/Packages/Orchard.Users/Views/Admin/Index.aspx
View File

@@ -3,7 +3,7 @@
<%@ Import Namespace="Orchard.Security" %>
<%@ Import Namespace="Orchard.Mvc.Html" %>
<h2>Manage Users</h2>
<% using (Html.BeginForm()) { %>
<% using (Html.BeginFormAntiForgeryPost()) { %>
<%=Html.ValidationSummary()%>
<div class="manage"><%=Html.ActionLink("Add a new user", "Create", new { }, new { @class = "button" })%></div>
<fieldset>

2
src/Orchard.Web/Views/Account/ChangePassword.ascx
View File

@@ -6,7 +6,7 @@
<p>New passwords are required to be a minimum of <%=Html.Encode(ViewData["PasswordLength"])%> characters in length.</p>
<%= Html.ValidationSummary("Password change was unsuccessful. Please correct the errors and try again.")%>
<% using (Html.BeginForm()) { %>
<% using (Html.BeginFormAntiForgeryPost()) { %>
<div>
<fieldset>
<legend>Account Information</legend>

2
src/Orchard.Web/Views/Account/LogOn.ascx
View File

@@ -9,7 +9,7 @@
<% if (Model != null && Model.Messages != null) Html.RenderPartial("Messages", Model.Messages); %>
<%= Html.ValidationSummary("Login was unsuccessful. Please correct the errors and try again.") %>
<% using (Html.BeginForm()) { %>
<% using (Html.BeginFormAntiForgeryPost()) { %>
<div>
<fieldset>
<legend>Account Information</legend>

2
src/Orchard.Web/Views/Account/Register.ascx
View File

@@ -10,7 +10,7 @@
</p>
<%= Html.ValidationSummary("Account creation was unsuccessful. Please correct the errors and try again.") %>
<% using (Html.BeginForm()) { %>
<% using (Html.BeginFormAntiForgeryPost()) { %>
<div>
<fieldset>
<legend>Account Information</legend>

5
src/Orchard/Mvc/Filters/AntiForgeryAuthorizationFilter.cs
View File

@@ -3,11 +3,6 @@ using System.Web.Mvc;
namespace Orchard.Mvc.Filters {
public class AntiForgeryAuthorizationFilter : FilterProvider, IAuthorizationFilter {
public void OnAuthorization(AuthorizationContext filterContext) {
//TODO: (erikpo) Once all modules are moved over to use the AntiForgeryToken, get rid of this if statement
if (!(filterContext.RouteData.Values["area"] is string
&& (string)filterContext.RouteData.Values["area"] == "Orchard.Blogs"))
return;
if (!(filterContext.HttpContext.Request.HttpMethod == "POST" && filterContext.RequestContext.HttpContext.Request.IsAuthenticated))
return;

2
src/Orchard/Mvc/Html/HtmlHelperExtensions.cs
View File

@@ -199,7 +199,7 @@ namespace Orchard.Mvc.Html {
tagBuilder.MergeAttribute("action", formAction);
tagBuilder.MergeAttribute("method", HtmlHelper.GetFormMethodString(formMethod), true);
htmlHelper.ViewContext.HttpContext.Response.Write(tagBuilder.ToString(TagRenderMode.StartTag));
htmlHelper.ViewContext.HttpContext.Response.Output.Write(tagBuilder.ToString(TagRenderMode.StartTag));
return new MvcFormAntiForgeryPost(htmlHelper);
}

2
src/Orchard/Mvc/Html/MvcFormAntiForgeryPost.cs
View File

@@ -10,7 +10,7 @@ namespace Orchard.Mvc.Html {
}
protected override void Dispose(bool disposing) {
_htmlHelper.ViewContext.RequestContext.HttpContext.Response.Write(_htmlHelper.AntiForgeryTokenOrchard());
_htmlHelper.ViewContext.HttpContext.Response.Output.Write(_htmlHelper.AntiForgeryTokenOrchard());
base.Dispose(disposing);
}