Warn and reject if a nonce is rapidly reused

Rosuav · Dec 10, 2024 · a832651 · a832651
1 parent 2808471
commit a832651
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/modules/http/chan_form.pike b/modules/http/chan_form.pike
@@ -352,6 +352,10 @@ __async__ mapping(string:mixed) http_request(Protocols.HTTP.Server.Request req)
 					if (!resp[formid]) resp[formid] = ([]);
 					if (mapping p = resp[formid]->permissions[?nonce]) {
 						//The permission is no longer available.
+						if (p->used) {
+							werror("FORM REUSED %O\n", nonce);
+							return; //Silently ignore the second one (for now)
+						}
 						p->used = 1;
 					}
 					resp[formid]->responses += ({response});