Differences From:

File src/tkt.c part of check-in [3c851ca760] - Clean up handling of concealed email addresses. This might be related to ticket 4b40f574494. by drh on 2008-07-24 14:48:52. [view]

To:

File src/tkt.c part of check-in [0be54823ba] - Add defenses against cross-site request forgery attacks. by drh on 2008-10-18 12:55:44. [view]

@@ -385,8 +385,9 @@
   int i;
   int rid;
   Blob tktchng, cksum;
 
+  login_verify_csrf_secret();
   zUuid = (const char *)pUuid;
   blob_zero(&tktchng);
   zDate = db_text(0, "SELECT datetime('now')");
   zDate[10] = 'T';
@@ -468,8 +469,9 @@
   getAllTicketFields();
   initializeVariablesFromDb();
   initializeVariablesFromCGI();
   @ <form method="POST" action="%s(g.zBaseURL)/%s(g.zPath)">
+  login_insert_csrf_secret();
   zScript = ticket_newpage_code();
   Th_Store("login", g.zLogin);
   Th_Store("date", db_text(0, "SELECT datetime('now')"));
   Th_CreateCommand(g.interp, "submit_ticket", submitTicketCmd,
@@ -529,8 +531,9 @@
   initializeVariablesFromCGI();
   initializeVariablesFromDb();
   @ <form method="POST" action="%s(g.zBaseURL)/%s(g.zPath)">
   @ <input type="hidden" name="name" value="%s(zName)">
+  login_insert_csrf_secret();
   zScript = ticket_editpage_code();
   Th_Store("login", g.zLogin);
   Th_Store("date", db_text(0, "SELECT datetime('now')"));
   Th_CreateCommand(g.interp, "append_field", appendRemarkCmd, 0, 0);