From 242015942326628da1d53d1303b4d2a900b747b8 Mon Sep 17 00:00:00 2001
From: Andreas Gohr <andi@splitbrain.org>
Date: Fri, 17 Dec 2021 23:22:25 +0100
Subject: [PATCH] fix security problems in draft handling. fixes #3565

---
 inc/Ajax.php        | 6 ++++--
 inc/Draft.php       | 2 +-
 lib/scripts/edit.js | 3 ++-
 3 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/inc/Ajax.php b/inc/Ajax.php
index f1aea7d936..71b8918dff 100644
--- a/inc/Ajax.php
+++ b/inc/Ajax.php
@@ -168,8 +168,10 @@ protected function callDraftdel() {
         $client = $_SERVER['REMOTE_USER'];
         if(!$client) $client = clientIP(true);
 
-        $cname = getCacheName($client . $id, '.draft');
-        @unlink($cname);
+        $draft = new Draft($id, $client);
+        if ($draft->isDraftAvailable() && checkSecurityToken()) {
+            $draft->deleteDraft();
+        }
     }
 
     /**
diff --git a/inc/Draft.php b/inc/Draft.php
index f80016c8dc..ea9431069e 100644
--- a/inc/Draft.php
+++ b/inc/Draft.php
@@ -25,7 +25,7 @@ public function __construct($ID, $client)
     {
         $this->id = $ID;
         $this->client = $client;
-        $this->cname = getCacheName($client.$ID, '.draft');
+        $this->cname = getCacheName("$client\n$ID", '.draft');
         if(file_exists($this->cname) && file_exists(wikiFN($ID))) {
             if (filemtime($this->cname) < filemtime(wikiFN($ID))) {
                 // remove stale draft
diff --git a/lib/scripts/edit.js b/lib/scripts/edit.js
index 02c1ddfced..2253d05cff 100644
--- a/lib/scripts/edit.js
+++ b/lib/scripts/edit.js
@@ -210,7 +210,8 @@ function deleteDraft() {
     jQuery.post(DOKU_BASE + 'lib/exe/ajax.php',
         {
             call: 'draftdel',
-            id: $dwform.find('input[name=id]').val()
+            id: $dwform.find('input[name=id]').val(),
+            sectok: $dwform.find('input[name=sectok]').val()
         }
     );
 }