Skip to content

Commit 44fb32d

Browse files
committed
Security Hardening: Move to new CSRF Token system.
1 parent 555aeb8 commit 44fb32d

13 files changed

Lines changed: 34 additions & 8 deletions

File tree

htdocs/js/pages/Events.class.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2362,7 +2362,7 @@ Page.Events = class Events extends Page.PageUtils {
23622362

23632363
Dialog.onDragDrop = function(files) {
23642364
// files dropped on dialog
2365-
ZeroUpload.upload( files, {}, {} );
2365+
ZeroUpload.upload( files, {}, app.csrf_token ? { csrf_token: app.csrf_token } : {} );
23662366
};
23672367

23682368
Dialog.onHide = function() {

htdocs/js/pages/PageUtils.class.js

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -5410,7 +5410,7 @@ Page.PageUtils = class PageUtils extends Page.Base {
54105410

54115411
Dialog.onDragDrop = function(files) {
54125412
// files dropped on dialog
5413-
ZeroUpload.upload( files, {}, {} );
5413+
ZeroUpload.upload( files, {}, app.csrf_token ? { csrf_token: app.csrf_token } : {} );
54145414
};
54155415

54165416
Dialog.onHide = function() {
@@ -5499,7 +5499,7 @@ Page.PageUtils = class PageUtils extends Page.Base {
54995499

55005500
uploadDialogFiles() {
55015501
// upload files using ZeroUpload (for progress, etc.)
5502-
ZeroUpload.chooseFiles({}, {});
5502+
ZeroUpload.chooseFiles( {}, app.csrf_token ? { csrf_token: app.csrf_token } : {} );
55035503
}
55045504

55055505
addPageDescription(page_id) {

htdocs/js/pages/Tickets.class.js

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1314,6 +1314,7 @@ Page.Tickets = class Tickets extends Page.PageUtils {
13141314
if (this.editor) return app.doError("Please close the current text editor before attaching files.");
13151315

13161316
ZeroUpload.chooseFiles({}, {
1317+
csrf_token: app.csrf_token || '',
13171318
ticket: this.ticket.id,
13181319
save: true
13191320
});
@@ -2467,6 +2468,7 @@ Page.Tickets = class Tickets extends Page.PageUtils {
24672468
// intercept drag-drop event and upload files to ticket
24682469
if (this.args.sub == 'view') {
24692470
ZeroUpload.upload( files, {}, {
2471+
csrf_token: app.csrf_token || '',
24702472
ticket: this.ticket.id || 'new',
24712473
save: this.editor ? false : true
24722474
} );
@@ -2478,6 +2480,7 @@ Page.Tickets = class Tickets extends Page.PageUtils {
24782480
if (!this.editor) return; // sanity
24792481

24802482
ZeroUpload.chooseFiles({}, {
2483+
csrf_token: app.csrf_token || '',
24812484
ticket: this.ticket.id || 'new'
24822485
});
24832486
}

htdocs/js/pages/Workflows.class.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1421,7 +1421,7 @@ Page.Workflows = class Workflows extends Page.Events {
14211421

14221422
Dialog.onDragDrop = function(files) {
14231423
// files dropped on dialog
1424-
ZeroUpload.upload( files, {}, {} );
1424+
ZeroUpload.upload( files, {}, app.csrf_token ? { csrf_token: app.csrf_token } : {} );
14251425
};
14261426

14271427
Dialog.onHide = function() {

htdocs/js/pages/admin/Buckets.class.js

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -540,6 +540,7 @@ Page.Buckets = class Buckets extends Page.PageUtils {
540540
if (!this.bucket.id) return; // sanity
541541

542542
ZeroUpload.chooseFiles({}, {
543+
csrf_token: app.csrf_token || '',
543544
bucket: this.bucket.id
544545
});
545546
}
@@ -548,6 +549,7 @@ Page.Buckets = class Buckets extends Page.PageUtils {
548549
// intercept drag-drop event and upload files to bucket
549550
if (this.args.sub == 'edit') {
550551
ZeroUpload.upload( files, {}, {
552+
csrf_token: app.csrf_token || '',
551553
bucket: this.bucket.id
552554
} );
553555
}

htdocs/js/pages/admin/Plugins.class.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -527,7 +527,7 @@ Page.Plugins = class Plugins extends Page.PageUtils {
527527

528528
Dialog.onDragDrop = function(files) {
529529
// files dropped on dialog
530-
ZeroUpload.upload( files, {}, {} );
530+
ZeroUpload.upload( files, {}, app.csrf_token ? { csrf_token: app.csrf_token } : {} );
531531
};
532532

533533
Dialog.onHide = function() {

htdocs/js/pages/admin/Users.class.js

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -332,6 +332,7 @@ Page.Users = class Users extends Page.PageUtils {
332332
upload_avatar() {
333333
// upload profile pic using ZeroUpload
334334
ZeroUpload.chooseFiles({}, {
335+
csrf_token: app.csrf_token || '',
335336
username: this.user.username
336337
});
337338
}

htdocs/js/pages/user/MyAccount.class.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -197,7 +197,7 @@ Page.MyAccount = class MyAccount extends Page.Base {
197197

198198
uploadAvatar() {
199199
// upload profile pic using ZeroUpload
200-
ZeroUpload.chooseFiles({}, {});
200+
ZeroUpload.chooseFiles( {}, app.csrf_token ? { csrf_token: app.csrf_token } : {} );
201201
}
202202

203203
uploadStart(files, userData) {

lib/api.js

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -541,6 +541,13 @@ class API {
541541
this.storage.get('sessions/' + session_id, function(err, session) {
542542
if (err) return callback(err, null, null);
543543

544+
// csrf check
545+
var csrf_token = args.request.headers['x-csrf-token'] || args.params.csrf_token || null;
546+
if (self.usermgr.config.get('use_csrf') && !args.request.method.match(/^(GET|HEAD)$/) && session.csrf_token && (csrf_token != session.csrf_token)) {
547+
self.logError('user', "Failed to validate session: Invalid CSRF Token", { username: session.username, ips: args.ips });
548+
return callback(new Error("Invalid session"), null, null);
549+
}
550+
544551
// also load user
545552
self.storage.get('users/' + self.usermgr.normalizeUsername(session.username), function(err, user) {
546553
if (err) return callback(err, null, null);
@@ -554,6 +561,10 @@ class API {
554561
delete args.request.headers['x-session-id'];
555562
delete args.request.headers['cookie'];
556563

564+
// cleanup csrf token mess as well
565+
delete args.params.csrf_token;
566+
delete args.request.headers['x-csrf-token'];
567+
557568
// pass both session and user to callback
558569
callback(null, session, user);
559570
} );

lib/comm.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -241,7 +241,7 @@ class Communication {
241241
}
242242

243243
// create fake args object for loadSession
244-
var args = { cookies: {}, request: { headers: {} }, params: {} };
244+
var args = { cookies: {}, request: { method: 'GET', headers: {} }, params: {} };
245245

246246
// pull session_id out of original ws request cookies
247247
if (socket.request.headers.cookie && socket.request.headers.cookie.match(/\bsession_id\=([0-9a-f]{64})\b/)) {

0 commit comments

Comments
 (0)