git » wikiri » commit a2d4f32

Only allow saves using POST method.

author Alberto Bertogli
2008-01-12 01:59:41 UTC
committer Alberto Bertogli
2008-01-12 01:59:41 UTC
parent 454bc92188d5d6faf3f3f7b944a83a2c9664bfa3
Only allow saves using POST method.

This prevents people from visiting page/save (which might have been in
their history after a save), which creates a empty save and removes the
page.

Signed-off-by: Alberto Bertogli <albertito@gmail.com>
wikiri.cgi +5 -0 
diff --git a/wikiri.cgi b/wikiri.cgi
index 75dea73..37b0b4f 100755
--- a/wikiri.cgi
+++ b/wikiri.cgi
@@ -928,6 +928,11 @@ def handle_cgi():
 		if artname == '' or artname == '/':
 			artname = 'index'
 
+	if save and not os.environ.get('REQUEST_METHOD', 'GET') == 'POST':
+		# only allow saves if the request is a post to prevent people
+		# from accidentally performing a GET .../save, which would
+		# result in an empty save, with the following page removal
+		save = False
 
 	artname = urllib.unquote_plus(artname)