[Owncloud] Cross-site request forgery protection
Thomas Tanghus
thomas at tanghus.net
Wed Jun 13 15:52:47 UTC 2012
On Wednesday 13 June 2012 11:55 Frank Karlitschek wrote:
> On 12.06.2012, at 14:16, Thomas Tanghus <thomas at tanghus.net> wrote:
> > I just tested this, and we need some extra methods. Something like:
(...)
> > On Friday 08 June 2012 16:42 Frank Karlitschek wrote:
> Makes a lot of sense IMHO. :-)
I have made the proposed changes in [1] and added requesttoken as a variable in OC_Template.
Also requesttoken is now send with all js request headers from layout.user.php.
I'm not absolutely happy with having it as a js var [2], but I see no real alternative?
All you have to do now is add OCP\JSON::callCheck() to all ajax files that does more
than simple queries.
I have implemented it for Contacts in [3]
(Crossing my fingers for not having broken anything ;-) )
[1] https://gitorious.org/owncloud/owncloud/commit/89464721c7aa4464419cbcbedc658843f6c4696d
[2] https://gitorious.org/owncloud/owncloud/blobs/89464721c7aa4464419cbcbedc658843f6c4696d/core/templates/layout.user.php#line35
[3] https://gitorious.org/owncloud/owncloud/commit/bc1e8cb0a2ef634949ae520c6aedab435eaf5b80
--
Med venlig hilsen / Best Regards
Thomas Tanghus
More information about the Owncloud
mailing list