Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: csrf check failed on public share with password #44369

Merged
merged 3 commits into from
Apr 2, 2024
Merged

fix: csrf check failed on public share with password #44369

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
c08ab81
fix: csrf check failed on public share with password
luka-nextcloud Mar 20, 2024
945828b
fix: csrf check failed on public share with password
luka-nextcloud Mar 25, 2024
a42c68d
feat: compile js
luka-nextcloud Mar 29, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 19 additions & 0 deletions core/src/main.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,8 @@ import './jquery/index.js'
import { initCore } from './init.js'
import { registerAppsSlideToggle } from './OC/apps.js'
import { getRequestToken } from '@nextcloud/auth'
import { generateUrl } from '@nextcloud/router'
import Axios from '@nextcloud/axios'

// eslint-disable-next-line camelcase
__webpack_nonce__ = btoa(getRequestToken())
Expand All @@ -50,3 +52,20 @@ window.addEventListener('DOMContentLoaded', function() {
window.onhashchange = _.bind(OC.Util.History._onPopState, OC.Util.History)
}
})

// Fix error "CSRF check failed"
document.addEventListener('DOMContentLoaded', function() {
const form = document.getElementById('password-input-form')
if (form) {
form.addEventListener('submit', async function(event) {
event.preventDefault()
const requestToken = document.getElementById('requesttoken')
if (requestToken) {
const url = generateUrl('/csrftoken')
const resp = await Axios.get(url)
requestToken.value = resp.data.token
}
Comment on lines +63 to +67
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could use grab the currently known CSRF token from @nextcloud/auth to avoid the additional request?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR is for solving issue that the currently known CSRF token might not be the latest.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is an existing CSRF token update mechanism that pulls a fresh token every 30 seconds. Is that not sufficient?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it is not sufficient. User might submit form during the gap time and see the CSRF failed error randomly.

form.submit()
})
}
})
10 changes: 5 additions & 5 deletions core/templates/publicshareauth.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@
<?php endif; ?>
<p>
<label for="password" class="infield"><?php p($l->t('Password')); ?></label>
<input type="hidden" name="requesttoken" value="<?php p($_['requesttoken']) ?>" />
<input type="hidden" id="requesttoken" name="requesttoken" value="<?php p($_['requesttoken']) ?>" />
<input type="password" name="password" id="password"
placeholder="<?php p($l->t('Password')); ?>" value=""
autocomplete="new-password" autocapitalize="off" spellcheck="false"
Expand All @@ -34,7 +34,7 @@ class="svg icon-confirm input-button-inline" value="" disabled="disabled" />
</p>
</fieldset>
</form>

<!-- email prompt form. It should initially be hidden -->
<?php if (isset($_['identityOk'])): ?>
<form method="post" id="email-input-form">
Expand All @@ -46,7 +46,7 @@ class="svg icon-confirm input-button-inline" value="" disabled="disabled" />
<p>
<input type="email" id="email" name="identityToken" placeholder="<?php p($l->t('Email address')); ?>" />
<input type="submit" id="password-request" name="passwordRequest" class="svg icon-confirm input-button-inline" value="" disabled="disabled"/>
<input type="hidden" name="requesttoken" value="<?php p($_['requesttoken']) ?>" />
<input type="hidden" id="requesttoken" name="requesttoken" value="<?php p($_['requesttoken']) ?>" />
<input type="hidden" name="sharingToken" value="<?php p($_['share']->getToken()) ?>" id="sharingToken">
<input type="hidden" name="sharingType" value="<?php p($_['share']->getShareType()) ?>" id="sharingType">
</p>
Expand All @@ -59,12 +59,12 @@ class="svg icon-confirm input-button-inline" value="" disabled="disabled" />
<?php endif; ?>
</fieldset>
</form>

<!-- request password button -->
<?php if (!isset($_['identityOk']) && $_['share']->getShareType() === $_['share']::TYPE_EMAIL && !$_['share']->getSendPasswordByTalk()): ?>
<a id="request-password-button-not-talk"><?php p($l->t('Forgot password?')); ?></a>
<?php endif; ?>

<!-- back to showShare button -->
<form method="get">
<fieldset>
Expand Down
4 changes: 2 additions & 2 deletions dist/core-main.js
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion dist/core-main.js.map
View file
Open in desktop

Large diffs are not rendered by default.

Loading