maketank/Froxlor
2
0
Fork 0
Code Pull Requests Releases Activity

add csrf token header to jquery requests

Browse Source
This commit is contained in:
Maurice Preuß (envoyr)
2022-12-25 22:14:39 +01:00
parent ddc95762eb
commit 6ad78a4818
4 changed files with 9 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
admin_plans.php
View File

@@ -263,7 +263,7 @@ if ($page == '' || $page == 'overview') {
} }
} }
} elseif ($action == 'jqGetPlanValues') { } elseif ($action == 'jqGetPlanValues') {
$planid = isset($_POST['planid']) ? (int)$_POST['planid'] : 0; $planid = (int)Request::get('planid', 0);
try { try {
$json_result = HostingPlans::getLocal($userinfo, [ $json_result = HostingPlans::getLocal($userinfo, [
'id' => $planid 'id' => $planid

2
lib/init.php
View File

@@ -317,7 +317,7 @@ if (CurrentUser::hasSession()) {
$new_token = Froxlor::genSessionId(20); $new_token = Froxlor::genSessionId(20);
UI::twig()->addGlobal('csrf_token', $new_token); UI::twig()->addGlobal('csrf_token', $new_token);
if ($_SERVER['REQUEST_METHOD'] === 'POST') { if ($_SERVER['REQUEST_METHOD'] === 'POST') {
$current_token = $_POST['csrf_token']; $current_token = $_POST['csrf_token'] ?? $_SERVER['HTTP_X_CSRF_TOKEN'] ?? null;
if ($current_token != CurrentUser::getField('csrf_token')) { if ($current_token != CurrentUser::getField('csrf_token')) {
Response::dynamicError('CSRF validation failed'); Response::dynamicError('CSRF validation failed');
} }

1
templates/Froxlor/base.html.twig
View File

@@ -7,6 +7,7 @@
<meta name="robots" content="noindex, nofollow, noarchive"/> <meta name="robots" content="noindex, nofollow, noarchive"/>
<meta name="googlebot" content="nosnippet"/> <meta name="googlebot" content="nosnippet"/>
<link rel="icon" type="image/x-icon" href="{{ basehref|default('') }}templates/Froxlor/assets/img/icon.png"> <link rel="icon" type="image/x-icon" href="{{ basehref|default('') }}templates/Froxlor/assets/img/icon.png">
<meta name="csrf-token" content="{{ csrf_token }}" />
<!-- CSS --> <!-- CSS -->
{% if theme_css is empty %} {% if theme_css is empty %}

6
templates/Froxlor/src/js/main.js
View File

@@ -11,6 +11,12 @@ window.Chart = Chart;
$(function () { $(function () {
window.$theme = 'Froxlor'; window.$theme = 'Froxlor';
$.ajaxSetup({
headers: {
'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content')
}
});
const tooltipTriggerList = [].slice.call(document.querySelectorAll('[data-bs-toggle="tooltip"]')) const tooltipTriggerList = [].slice.call(document.querySelectorAll('[data-bs-toggle="tooltip"]'))
const tooltipList = tooltipTriggerList.map(function (tooltipTriggerEl) { const tooltipList = tooltipTriggerList.map(function (tooltipTriggerEl) {
return new bootstrap.Tooltip(tooltipTriggerEl) return new bootstrap.Tooltip(tooltipTriggerEl)