CSRF protection for eventsource

This commit is contained in:
Robin Appelman 2012-07-22 16:36:09 +02:00
parent a49c07cf88
commit b1010160b3
4 changed files with 7 additions and 0 deletions

View File

@ -17,6 +17,8 @@ $source = isset( $_REQUEST['source'] ) ? stripslashes($_REQUEST['source']) : '';
if($source){ if($source){
$eventSource=new OC_EventSource(); $eventSource=new OC_EventSource();
}else{
OC_JSON::callCheck();
} }
if($filename == '') { if($filename == '') {

View File

@ -40,6 +40,7 @@ OC.EventSource=function(src,data){
dataStr+=name+'='+encodeURIComponent(data[name])+'&'; dataStr+=name+'='+encodeURIComponent(data[name])+'&';
} }
} }
dataStr+='requesttoken='+OC.EventSource.requesttoken;
if(!this.useFallBack && typeof EventSource !='undefined'){ if(!this.useFallBack && typeof EventSource !='undefined'){
this.source=new EventSource(src+'?'+dataStr); this.source=new EventSource(src+'?'+dataStr);
this.source.onmessage=function(e){ this.source.onmessage=function(e){

View File

@ -33,6 +33,7 @@
<script type="text/javascript"> <script type="text/javascript">
$(function() { $(function() {
requesttoken = '<?php echo $_['requesttoken']; ?>'; requesttoken = '<?php echo $_['requesttoken']; ?>';
OC.EventSource.requesttoken=requesttoken;
$(document).bind('ajaxSend', function(elm, xhr, s){ $(document).bind('ajaxSend', function(elm, xhr, s){
if(requesttoken) { if(requesttoken) {
xhr.setRequestHeader('requesttoken', requesttoken); xhr.setRequestHeader('requesttoken', requesttoken);

View File

@ -42,6 +42,9 @@ class OC_EventSource{
}else{ }else{
header("Content-Type: text/event-stream"); header("Content-Type: text/event-stream");
} }
if( !OC_Util::isCallRegistered()){
exit();
}
flush(); flush();
} }