From 6ad78a48185e201cc2d89353032ea0ff27ebb3a7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Maurice=20Preu=C3=9F=20=28envoyr=29?= <envoyr@froxlor.org>
Date: Sun, 25 Dec 2022 22:14:39 +0100
Subject: [PATCH] add csrf token header to jquery requests

---
 admin_plans.php                  | 2 +-
 lib/init.php                     | 2 +-
 templates/Froxlor/base.html.twig | 1 +
 templates/Froxlor/src/js/main.js | 6 ++++++
 4 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/admin_plans.php b/admin_plans.php
index 119b7e11..734f5799 100644
--- a/admin_plans.php
+++ b/admin_plans.php
@@ -263,7 +263,7 @@ if ($page == '' || $page == 'overview') {
 			}
 		}
 	} elseif ($action == 'jqGetPlanValues') {
-		$planid = isset($_POST['planid']) ? (int)$_POST['planid'] : 0;
+		$planid = (int)Request::get('planid', 0);
 		try {
 			$json_result = HostingPlans::getLocal($userinfo, [
 				'id' => $planid
diff --git a/lib/init.php b/lib/init.php
index 6856402f..4081555e 100644
--- a/lib/init.php
+++ b/lib/init.php
@@ -317,7 +317,7 @@ if (CurrentUser::hasSession()) {
 	$new_token = Froxlor::genSessionId(20);
 	UI::twig()->addGlobal('csrf_token', $new_token);
 	if ($_SERVER['REQUEST_METHOD'] === 'POST') {
-		$current_token = $_POST['csrf_token'];
+		$current_token = $_POST['csrf_token'] ?? $_SERVER['HTTP_X_CSRF_TOKEN'] ?? null;
 		if ($current_token != CurrentUser::getField('csrf_token')) {
 			Response::dynamicError('CSRF validation failed');
 		}
diff --git a/templates/Froxlor/base.html.twig b/templates/Froxlor/base.html.twig
index ba41c856..41b0d018 100644
--- a/templates/Froxlor/base.html.twig
+++ b/templates/Froxlor/base.html.twig
@@ -7,6 +7,7 @@
 	<meta name="robots" content="noindex, nofollow, noarchive"/>
 	<meta name="googlebot" content="nosnippet"/>
 	<link rel="icon" type="image/x-icon" href="{{ basehref|default('') }}templates/Froxlor/assets/img/icon.png">
+	<meta name="csrf-token" content="{{ csrf_token }}" />
 
 	<!-- CSS -->
 	{% if theme_css is empty %}
diff --git a/templates/Froxlor/src/js/main.js b/templates/Froxlor/src/js/main.js
index 265c75d7..566fc1d8 100644
--- a/templates/Froxlor/src/js/main.js
+++ b/templates/Froxlor/src/js/main.js
@@ -11,6 +11,12 @@ window.Chart = Chart;
 $(function () {
 	window.$theme = 'Froxlor';
 
+	$.ajaxSetup({
+		headers: {
+			'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content')
+		}
+	});
+
 	const tooltipTriggerList = [].slice.call(document.querySelectorAll('[data-bs-toggle="tooltip"]'))
 	const tooltipList = tooltipTriggerList.map(function (tooltipTriggerEl) {
 		return new bootstrap.Tooltip(tooltipTriggerEl)