en Copyright 2025 Java http://127.0.0.1:8080/history/dokuwiki/lib/scripts/#5d8c9d422c83ef31e1acbe6e37664185196c3016 (security) Require a security token for the lock AJAX callThe lock AJAX call refreshes the edit lock and saves a draft, both ofwhich change server state. It was gated only by the write ACL and,unlike the sibling draft-delete call, did not verify a security token(low severity).A cross-site forged POST against a logged-in user could, within thatuser's own write permissions, take or hold an edit lock and storeattacker-controlled draft content under their name.The call now verifies the security token before taking the lock orsaving the draft. Logged out users are unaffected, as no token isissued or checked for them. The edit lock timer now always sends thetoken with its refresh request, including when draft saving isdisabled. List of files: /dokuwiki/lib/scripts/locktimer.js Sat, 06 Jun 2026 18:00:00 +0000 Andreas Gohr <andi@splitbrain.org>