From b1010160b363223c1e1c1cc7137dfb8e9aa3ab5b Mon Sep 17 00:00:00 2001 From: Robin Appelman Date: Sun, 22 Jul 2012 16:36:09 +0200 Subject: [PATCH] CSRF protection for eventsource --- apps/files/ajax/newfile.php | 2 ++ core/js/eventsource.js | 1 + core/templates/layout.user.php | 1 + lib/eventsource.php | 3 +++ 4 files changed, 7 insertions(+) diff --git a/apps/files/ajax/newfile.php b/apps/files/ajax/newfile.php index de054d9ce0..cc9208ad08 100644 --- a/apps/files/ajax/newfile.php +++ b/apps/files/ajax/newfile.php @@ -17,6 +17,8 @@ $source = isset( $_REQUEST['source'] ) ? stripslashes($_REQUEST['source']) : ''; if($source){ $eventSource=new OC_EventSource(); +}else{ + OC_JSON::callCheck(); } if($filename == '') { diff --git a/core/js/eventsource.js b/core/js/eventsource.js index 08259e02ca..e3ad7e3a67 100644 --- a/core/js/eventsource.js +++ b/core/js/eventsource.js @@ -40,6 +40,7 @@ OC.EventSource=function(src,data){ dataStr+=name+'='+encodeURIComponent(data[name])+'&'; } } + dataStr+='requesttoken='+OC.EventSource.requesttoken; if(!this.useFallBack && typeof EventSource !='undefined'){ this.source=new EventSource(src+'?'+dataStr); this.source.onmessage=function(e){ diff --git a/core/templates/layout.user.php b/core/templates/layout.user.php index 7e98fdedc2..dc303ffc1a 100644 --- a/core/templates/layout.user.php +++ b/core/templates/layout.user.php @@ -33,6 +33,7 @@