[Owncloud] Cross-site request forgery protection
Frank Karlitschek
frank at owncloud.org
Wed Jun 13 20:40:32 UTC 2012
Very cool!!
do you think it´s possible to backport it to stable4?
Frank
On 13.06.2012, at 17:52, Thomas Tanghus <thomas at tanghus.net> wrote:
> On Wednesday 13 June 2012 11:55 Frank Karlitschek wrote:
>> On 12.06.2012, at 14:16, Thomas Tanghus <thomas at tanghus.net> wrote:
>>> I just tested this, and we need some extra methods. Something like:
> (...)
>>> On Friday 08 June 2012 16:42 Frank Karlitschek wrote:
>> Makes a lot of sense IMHO. :-)
>
> I have made the proposed changes in [1] and added requesttoken as a variable in OC_Template.
> Also requesttoken is now send with all js request headers from layout.user.php.
> I'm not absolutely happy with having it as a js var [2], but I see no real alternative?
>
> All you have to do now is add OCP\JSON::callCheck() to all ajax files that does more
> than simple queries.
>
> I have implemented it for Contacts in [3]
>
> (Crossing my fingers for not having broken anything ;-) )
>
> [1] https://gitorious.org/owncloud/owncloud/commit/89464721c7aa4464419cbcbedc658843f6c4696d
> [2] https://gitorious.org/owncloud/owncloud/blobs/89464721c7aa4464419cbcbedc658843f6c4696d/core/templates/layout.user.php#line35
> [3] https://gitorious.org/owncloud/owncloud/commit/bc1e8cb0a2ef634949ae520c6aedab435eaf5b80
>
> --
> Med venlig hilsen / Best Regards
>
> Thomas Tanghus
More information about the Owncloud
mailing list