-
-
Notifications
You must be signed in to change notification settings - Fork 4.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: csrf check failed on public share with password #44369
fix: csrf check failed on public share with password #44369
Conversation
core/js/publicshareauth.js
Outdated
document.addEventListener('DOMContentLoaded', function() { | ||
var form = document.getElementById('password-input-form'); | ||
if (form) { | ||
form.addEventListener('submit', async function(event) { | ||
event.preventDefault(); | ||
var requestToken = document.getElementById('requesttoken'); | ||
if (requestToken) { | ||
requestToken.value = await OC.fetchRequestToken(); | ||
} | ||
form.submit(); | ||
}); | ||
} | ||
}); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
would it be possible to move this into a "modern" js module that goes through webpack? then you can import @nextcloud/router
directly and we avoid adding a new property to the dated OC
global
if (requestToken) { | ||
const url = generateUrl('/csrftoken') | ||
const resp = await Axios.get(url) | ||
requestToken.value = resp.data.token | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could use grab the currently known CSRF token from @nextcloud/auth
to avoid the additional request?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This PR is for solving issue that the currently known CSRF token might not be the latest.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is an existing CSRF token update mechanism that pulls a fresh token every 30 seconds. Is that not sufficient?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it is not sufficient. User might submit form during the gap time and see the CSRF failed error randomly.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks like a valid solution to me - however, haven't tested it fully
Signed-off-by: Luka Trovic <[email protected]>
Signed-off-by: Luka Trovic <[email protected]>
Signed-off-by: Luka Trovic <[email protected]>
6d5b7ea
to
a42c68d
Compare
@juliushaertl @ChristophWurst @Altahrim This PR was missed from the release. |
/backport to stable29 |
Summary
"CSRF check failed" on public share with password
TODO
Checklist