Fix for CSRF in FileManager and UploadHandler

2025-08-19 21:04:07 -07:00 · 2021-09-04 15:31:34 +02:00 · 2021-09-04 15:31:34 +02:00 · 93de22a0b3
commit 93de22a0b3
parent 63861e4ffd
6 changed files with 29 additions and 9 deletions
--- a/web/js/app.js
+++ b/web/js/app.js
@ -797,6 +797,8 @@ App.Ajax.request = function(method, data, callback, onError){
    }*/
    //App.Helpers.setAjaxBusy(method, data);
    data = data || {};
+    var token = $('#token').attr('token');
+    data.token = token;

    var prgs = $('.progress-container');

--- a/web/js/file_manager.js
+++ b/web/js/file_manager.js
@ -533,7 +533,8 @@ FM.downloadFileFromSubcontext = function(elm) {
    var src = $.parseJSON($(elm).find('.source').val());

    var path = src.full_path;
-    var win = window.open('/download/file/?path=' + path, '_blank');
+    var token = $('#token').attr('token');
+    var win = window.open('/download/file/?token='+token+'&path=' + path, '_blank');
    win.focus();
 }

@ -552,20 +553,21 @@ FM.openFile = function(dir, box, elm) {
    };
    
    App.Ajax.request('check_file_type', params, function(reply) {
+        var token = $('#token').attr('token');
        if (reply.result) {
            if (FM.isFileEditable(src, reply.data)) {
-                var myWindow = window.open('/edit/file/?path=' + src.full_path, '_blank');//, src.full_path, "width=900, height=700");
+                var myWindow = window.open('/edit/file/?token='+token+'&path=' + src.full_path, '_blank');//, src.full_path, "width=900, height=700");
            }
            else {
                var path = src.full_path;
-                var win = window.open('/download/file/?path=' + path, '_blank');
+                var win = window.open('/download/file/?token='+token+'&path=' + path, '_blank');
                //win.focus();
            }
        }
        else {
            // force download file
            var path = src.full_path;
-            var win = window.open('/download/file/?path=' + path, '_blank');
+            var win = window.open('/download/file/?token='+token+'&path=' + path, '_blank');
            //win.focus();
        }
    });
@ -1994,7 +1996,8 @@ FM.downloadFiles = function() {
    }

    var path = src.full_path;
-    var win = window.open('/download/file/?path=' + path, '_blank');
+    var token = $('#token').attr('token');
+    var win = window.open('/download/file/?token='+token+'&path=' + path, '_blank');
    win.focus();
 }