CSRF protection for eventsource

2012-07-22 16:36:09 +02:00 · 2012-07-22 16:36:09 +02:00 · b1010160b3
parent a49c07cf88
commit b1010160b3
4 changed files with 7 additions and 0 deletions
--- a/apps/files/ajax/newfile.php
+++ b/apps/files/ajax/newfile.php
@ -17,6 +17,8 @@ $source = isset( $_REQUEST['source'] ) ? stripslashes($_REQUEST['source']) : '';

 if($source){
 	$eventSource=new OC_EventSource();
+}else{
+	OC_JSON::callCheck();
 }

 if($filename == '') {
--- a/core/js/eventsource.js
+++ b/core/js/eventsource.js
@ -40,6 +40,7 @@ OC.EventSource=function(src,data){
 			dataStr+=name+'='+encodeURIComponent(data[name])+'&';
 		}
 	}
+	dataStr+='requesttoken='+OC.EventSource.requesttoken;
 	if(!this.useFallBack && typeof EventSource !='undefined'){
 		this.source=new EventSource(src+'?'+dataStr);
 		this.source.onmessage=function(e){
--- a/core/templates/layout.user.php
+++ b/core/templates/layout.user.php
@ -33,6 +33,7 @@
 		<script type="text/javascript">
 			$(function() {
 				requesttoken = '<?php echo $_['requesttoken']; ?>';
+				OC.EventSource.requesttoken=requesttoken;
 				$(document).bind('ajaxSend', function(elm, xhr, s){
 					if(requesttoken) {
 						xhr.setRequestHeader('requesttoken', requesttoken);
--- a/lib/eventsource.php
+++ b/lib/eventsource.php
@ -42,6 +42,9 @@ class OC_EventSource{
 		}else{
 			header("Content-Type: text/event-stream");
 		}
+		if( !OC_Util::isCallRegistered()){
+			exit();
+		}
 		flush();

 	}