From 0d6d0e8f6946aa8aaabdb3415bfb31cb727c00a2 Mon Sep 17 00:00:00 2001
From: Pierre-Yves Chibon <pingou@pingoured.fr>
Date: Apr 21 2015 15:10:51 +0000
Subject: Enforce doing POST request with CSRF protection when forking a repo


---

diff --git a/pagure/ui/fork.py b/pagure/ui/fork.py
index c3c562c..682d8d6 100644
--- a/pagure/ui/fork.py
+++ b/pagure/ui/fork.py
@@ -711,14 +711,18 @@ def set_assignee_requests(repo, requestid, username=None):
 # Specific actions
 
 
-@APP.route('/do_fork/<repo>')
-@APP.route('/do_fork/<username>/<repo>')
+@APP.route('/do_fork/<repo>', methods=['POST'])
+@APP.route('/do_fork/<username>/<repo>', methods=['POST'])
 @cla_required
 def fork_project(repo, username=None):
     """ Fork the project specified into the user's namespace
     """
     repo = pagure.lib.get_project(SESSION, repo, user=username)
 
+    form = pagure.forms.ConfirmationForm()
+    if not form.validate_on_submit():
+        flask.abort(400)
+
     if repo is None:
         flask.abort(404)