Checklist

Check-in [0280010860]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Update to make use of SAME_ORIGIN.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA1: 0280010860a25b02bd9d8c44b85c41b43bf6fa54
User & Date: drh 2018-01-30 23:47:18
Context
2018-02-01
15:22
Tweaks to the checklist.tcl script so that it passes --lint and to enable a timeout on the database connection. check-in: aae9b15e00 user: drh tags: trunk
2018-01-30
23:47
Update to make use of SAME_ORIGIN. check-in: 0280010860 user: drh tags: trunk
20:39
Add a warning to the login page if the client is not sending Referer headers. check-in: 1e0662e9e3 user: drh tags: trunk
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Changes to checklist.tcl.

141
142
143
144
145
146
147


148

149
150
151
152
153
154
155
...
333
334
335
336
337
338
339

340
341
342
343
344
345
346
  if {[checklist-common-header]} return
  if {[string match https:* [wapp-param BASE_URL]]==0
       && [wapp-param REMOTE_ADDR]!="127.0.0.1"} {
    wapp-subst {<p class="error">Login via HTTPS only</p>}
    checklist-common-footer
    return
  }


  if {[wapp-param-exists u] && [wapp-param-exists p]} {

    set u [wapp-param u]
    set p [wapp-param p]
    set px [db one {SELECT hex($p)}]
    set ok [db exists {SELECT 1 FROM config
                        WHERE name=('user-'||$u)
                          AND hex(value)=$px}]
    if {$ok} {
................................................................................
  wapp-mimetype text/javascript
  wapp-cache-control max-age=86400
  wapp {
    function cklistAjax(uri,data,callback){
      var xhttp = new XMLHttpRequest();
      xhttp.onreadystatechange = function(){
        if(xhttp.readyState!=4) return

        var jx = JSON.parse(xhttp.responseText);
        callback(jx);
      }
      if(data){
        xhttp.open("POST",uri,true);
        xhttp.setRequestHeader("Content-Type",
                               "application/x-www-form-urlencoded");







>
>
|
>







 







>







141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
...
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
  if {[checklist-common-header]} return
  if {[string match https:* [wapp-param BASE_URL]]==0
       && [wapp-param REMOTE_ADDR]!="127.0.0.1"} {
    wapp-subst {<p class="error">Login via HTTPS only</p>}
    checklist-common-footer
    return
  }
  if {[wapp-param SAME_ORIGIN]
   && [wapp-param-exists u]
   && [wapp-param-exists p]
  } {
    set u [wapp-param u]
    set p [wapp-param p]
    set px [db one {SELECT hex($p)}]
    set ok [db exists {SELECT 1 FROM config
                        WHERE name=('user-'||$u)
                          AND hex(value)=$px}]
    if {$ok} {
................................................................................
  wapp-mimetype text/javascript
  wapp-cache-control max-age=86400
  wapp {
    function cklistAjax(uri,data,callback){
      var xhttp = new XMLHttpRequest();
      xhttp.onreadystatechange = function(){
        if(xhttp.readyState!=4) return
        if(!xhttp.responseText) return
        var jx = JSON.parse(xhttp.responseText);
        callback(jx);
      }
      if(data){
        xhttp.open("POST",uri,true);
        xhttp.setRequestHeader("Content-Type",
                               "application/x-www-form-urlencoded");