Differences From:

File src/shun.c part of check-in [94a93469c8] - Clicking the "Shun" submenu does not shun immediately, but only takes you to the page where you can click the "shun" button. by drh on 2008-06-02 15:01:53. [view]

To:

File src/shun.c part of check-in [0be54823ba] - Add defenses against cross-site request forgery attacks. by drh on 2008-10-18 12:55:44. [view]

@@ -66,8 +66,9 @@
     }
   }
   style_header("Shunned Artifacts");
   if( zUuid && P("sub") ){
+    login_verify_csrf_secret();
     db_multi_exec("DELETE FROM shun WHERE uuid='%s'", zUuid);
     if( db_exists("SELECT 1 FROM blob WHERE uuid='%s'", zUuid) ){
       @ <p><font color="blue">Artifact
       @ <a href="%s(g.zBaseURL)/artifact/%s(zUuid)">%s(zUuid)</a> is no
@@ -80,8 +81,9 @@
       @ can pulled in from other respositories.</font></p>
     }
   }
   if( zUuid && P("add") ){
+    login_verify_csrf_secret();
     db_multi_exec("INSERT OR IGNORE INTO shun VALUES('%s')", zUuid);
     @ <p><font color="blue">Artifact
     @ <a href="%s(g.zBaseURL)/artifact/%s(zUuid)">%s(zUuid)</a> has been
     @ shunned.  It will no longer be pushed.
@@ -125,8 +127,9 @@
   @ sight - set the "hidden" tag on such artifacts instead.</p>
   @
   @ <blockquote>
   @ <form method="POST" action="%s(g.zBaseURL)/%s(g.zPath)">
+  login_insert_csrf_secret();
   @ <input type="text" name="uuid" value="%h(PD("shun",""))" size="50">
   @ <input type="submit" name="add" value="Shun">
   @ </form>
   @ </blockquote>
@@ -138,8 +141,9 @@
   @ operations.</p>
   @
   @ <blockquote>
   @ <form method="POST" action="%s(g.zBaseURL)/%s(g.zPath)">
+  login_insert_csrf_secret();
   @ <input type="text" name="uuid" size="50">
   @ <input type="submit" name="sub" value="Accept">
   @ </form>
   @ </blockquote>