From 7e455e6226129307e940d4a3215494d4b3f500a8 Mon Sep 17 00:00:00 2001
From: Mark Wooding <mdw@distorted.org.uk>
Date: Mon, 6 Jul 2015 12:36:22 +0100
Subject: [PATCH] mason/pastebin/, static/odin.css: Cope if client doesn't send
 cookies.

Previously the edit key would just get lost.  Instead, detect the
situation and show a page with a fierce warning: because we can't hide
the edit key anywhere other than the actual page URL, the link is unsafe
to share, so it's important to make it obvious which link is safe.
---
 mason/pastebin/%show    | 16 ++++++++++++++--
 mason/pastebin/dhandler | 20 ++++++++++++++++----
 static/odin.css         |  6 ++++++
 3 files changed, 36 insertions(+), 6 deletions(-)

diff --git a/mason/pastebin/%show b/mason/pastebin/%show
index b8dc069..7668de7 100644
--- a/mason/pastebin/%show
+++ b/mason/pastebin/%show
@@ -2,11 +2,22 @@
 	title => Odin::escapify($m, $title) . " (odin.gg Paste Bin)" &>
 <h1><tt>odin.gg</tt> Paste Bin: <% $title %></h1>
 <div class="menu">
-  <span class="item"><a href="<% "$Odin::PASTEBIN/$tag?op=raw" %>">Raw</a></span>
+  <span class="item"><a href="<% "$Odin::PASTEBIN/$tag?op=raw" |h %>">Raw</a></span>
 % if (defined $edit) {
-  <span class="item"><a href="<% "$Odin::PASTEBIN/$tag?edit=$edit" %>">Edit</a></span>
+  <span class="item"><a href="<% "$Odin::PASTEBIN/$tag?edit=$edit" |h %>">Edit</a></span>
 % }
 </div>
+% if (defined $honc) {
+<div class="note">
+<p>Your browser doesn't appear to be accepting my cookies.
+<p>Don't share the link to this page with other people.  <b>If you do,
+  they'll be able to edit this paste just as you can</b>, using the
+  <b>Edit</b> link at the top of the page.
+<p>Instead, share this link:
+  <a href="<% "$Odin::PASTEBIN/$tag" |h %>"><%
+    "$Odin::PASTEBIN/$tag" |h %></a>
+</div>
+% }
 <pre class="paste">
 % if ($lang eq 'txt') {
 <% $content |h %>\
@@ -34,6 +45,7 @@
 	$title
 	$lang
 	$tag
+	$honc
 	$edit
 </%args>
 %#
diff --git a/mason/pastebin/dhandler b/mason/pastebin/dhandler
index 7f6ea24..85b7ef3 100644
--- a/mason/pastebin/dhandler
+++ b/mason/pastebin/dhandler
@@ -7,6 +7,13 @@
 	    -path => "$Odin::PASTEBIN_PATH/", %attr;
 	}
 
+	sub hasuff ($) {
+	  my ($edit) = @_;
+	  return $Odin::COOKIE{"odin-cookie-probe"} ? "" : "?honc=$edit";
+	}
+
+	Odin::bake_cookie $r, "odin-cookie-probe=t";
+
 	my %props = (
 	  lang => $lang, title => $title,
 	  content => Odin::tidy_pastebin_content $content
@@ -22,7 +29,8 @@
 	      $m->print($old{content});
 	    } else {
 	      $edit = $Odin::COOKIE{"odin-handoff.$tag"};
-	      $m->comp("%show", tag => $tag, edit => $edit, %old);
+	      $m->comp("%show", tag => $tag,
+		       honc => $honc, edit => $edit // $honc, %old);
 	    }
 	  } else {
 	    if ($op eq "del") {
@@ -32,14 +40,17 @@
 	    } else {
 	      set_handoff_cookie $tag, $edit;
 	      my $editp = Odin::update_pastebin $tag, $edit, %props;
-	      if ($editp) { $m->redirect("$Odin::PASTEBIN/$tag"); }
-	      else { $m->comp("%edit", tag => $tag, edit => $edit, %props); }
+	      if ($editp) {
+		$m->redirect("$Odin::PASTEBIN/$tag" . hasuff $edit);
+	      } else {
+		$m->comp("%edit", tag => $tag, edit => $edit, %props);
+	      }
 	    }
 	  }
 	} elsif (defined $content) {
 	  ($tag, $edit) = Odin::new_pastebin %props;
 	  set_handoff_cookie $tag, $edit;
-	  $m->redirect("$Odin::PASTEBIN/$tag");
+	  $m->redirect("$Odin::PASTEBIN/$tag" . hasuff $edit);
 	} else {
 	  Odin::path_info($r) =~ m:/$:
 	    or $m->redirect("$Odin::PASTEBIN/", 301);
@@ -52,6 +63,7 @@
 	$edit => undef
 	$lang => undef
 	$title => undef
+	$honc => undef
 	$op => "edit"
 </%args>
 %#
diff --git a/static/odin.css b/static/odin.css
index 80e23fc..6408dd6 100644
--- a/static/odin.css
+++ b/static/odin.css
@@ -38,3 +38,9 @@ input#title { min-width: 24em; }
 
 div.pastebin { float: left; }
 div.paste-widgets { text-align: center; margin: 1ex; }
+
+div.note {
+	border: solid red;
+	padding: 1ex;
+	margin: 2ex;
+}
-- 
2.11.0