From a0610799957af000f93a6aba305003054ab0283c Mon Sep 17 00:00:00 2001 From: Julian Lam Date: Wed, 17 Sep 2014 16:07:26 -0400 Subject: [PATCH] fixed all POST routes to use new csrf middleware --- public/src/forum/admin/categories.js | 2 +- public/src/modules/composer/uploads.js | 6 +++--- public/src/modules/uploader.js | 1 + src/controllers/accounts.js | 2 ++ src/controllers/admin.js | 5 ++++- src/controllers/categories.js | 1 + src/controllers/topics.js | 1 + src/routes/admin.js | 8 ++++---- src/routes/api.js | 6 +++--- src/routes/index.js | 20 ++++++++++---------- 10 files changed, 30 insertions(+), 22 deletions(-) diff --git a/public/src/forum/admin/categories.js b/public/src/forum/admin/categories.js index 37a551ffef..c91f2bf706 100644 --- a/public/src/forum/admin/categories.js +++ b/public/src/forum/admin/categories.js @@ -203,7 +203,7 @@ define('forum/admin/categories', ['uploader', 'forum/admin/iconSelect'], functio var inputEl = $(this), cid = inputEl.parents('li[data-cid]').attr('data-cid'); - uploader.open(RELATIVE_PATH + '/admin/category/uploadpicture', {cid: cid}, 0, function(imageUrlOnServer) { + uploader.open(RELATIVE_PATH + '/admin/category/uploadpicture', { cid: cid }, 0, function(imageUrlOnServer) { inputEl.val(imageUrlOnServer); var previewBox = inputEl.parents('li[data-cid]').find('.preview-box'); previewBox.css('background', 'url(' + imageUrlOnServer + '?' + new Date().getTime() + ')') diff --git a/public/src/modules/composer/uploads.js b/public/src/modules/composer/uploads.js index 008970a3ca..54822aa681 100644 --- a/public/src/modules/composer/uploads.js +++ b/public/src/modules/composer/uploads.js @@ -235,10 +235,10 @@ define('composer/uploads', ['composer/preview'], function(preview) { textarea.val(current.replace(re, filename + '](' + text + ')')); } - $(this).find('#postUploadCsrf').val($('#csrf_token').val()); + $(this).find('#postUploadCsrf').val($('#csrf').attr('data-csrf')); if (formData) { - formData.append('_csrf', $('#csrf_token').val()); + formData.append('_csrf', $('#csrf').attr('data-csrf')); } uploads.inProgress[post_uuid] = uploads.inProgress[post_uuid] || []; @@ -291,7 +291,7 @@ define('composer/uploads', ['composer/preview'], function(preview) { thumbForm.attr('action', params.route); thumbForm.off('submit').submit(function() { - var csrf = $('#csrf_token').val(); + var csrf = $('#csrf').attr('data-csrf'); $(this).find('#thumbUploadCsrf').val(csrf); if(formData) { diff --git a/public/src/modules/uploader.js b/public/src/modules/uploader.js index 2d5aa120f3..e44d59d4e2 100644 --- a/public/src/modules/uploader.js +++ b/public/src/modules/uploader.js @@ -19,6 +19,7 @@ define('uploader', function() { uploadForm[0].reset(); uploadForm.attr('action', route); uploadForm.find('#params').val(JSON.stringify(params)); + uploadForm.find('#csrfToken').val($('#csrf').attr('data-csrf')); if(fileSize) { uploadForm.find('#upload-file-size').html(fileSize); diff --git a/src/controllers/accounts.js b/src/controllers/accounts.js index a9466e4569..a91197a069 100644 --- a/src/controllers/accounts.js +++ b/src/controllers/accounts.js @@ -336,6 +336,8 @@ accountsController.accountEdit = function(req, res, next) { return next(err); } + userData.csrf = req.csrfToken(); + res.render('account/edit', userData); }); }; diff --git a/src/controllers/admin.js b/src/controllers/admin.js index 84834edef0..af1a419152 100644 --- a/src/controllers/admin.js +++ b/src/controllers/admin.js @@ -127,7 +127,10 @@ function filterAndRenderCategories(req, res, next, active) { return active ? !category.disabled : category.disabled; }); - res.render('admin/categories', {categories: categoryData}); + res.render('admin/categories', { + categories: categoryData, + csrf: req.csrfToken() + }); }); } diff --git a/src/controllers/categories.js b/src/controllers/categories.js index f7557210fb..e663db6ddc 100644 --- a/src/controllers/categories.js +++ b/src/controllers/categories.js @@ -176,6 +176,7 @@ categoriesController.get = function(req, res, next) { data.currentPage = page; data['feeds:disableRSS'] = meta.config['feeds:disableRSS'] === '1' ? true : false; + data.csrf = req.csrfToken(); // Paginator for noscript data.pages = []; diff --git a/src/controllers/topics.js b/src/controllers/topics.js index bfc2b4e396..ef388d183e 100644 --- a/src/controllers/topics.js +++ b/src/controllers/topics.js @@ -196,6 +196,7 @@ topicsController.get = function(req, res, next) { data['reputation:disabled'] = parseInt(meta.config['reputation:disabled'], 10) === 1; data['downvote:disabled'] = parseInt(meta.config['downvote:disabled'], 10) === 1; data['feeds:disableRSS'] = parseInt(meta.config['feeds:disableRSS'], 10) === 1; + data.csrf = req.csrfToken(); var topic_url = tid + (req.params.slug ? '/' + req.params.slug : ''); var queryString = qs.stringify(req.query); diff --git a/src/routes/admin.js b/src/routes/admin.js index 008acfde60..c18cc8665c 100644 --- a/src/routes/admin.js +++ b/src/routes/admin.js @@ -43,11 +43,11 @@ function userRoutes(app, middleware, controllers) { } function forumRoutes(app, middleware, controllers) { - app.get('/admin/categories/active', middleware.admin.buildHeader, controllers.admin.categories.active); - app.get('/api/admin/categories/active', controllers.admin.categories.active); + app.get('/admin/categories/active', middleware.requireCSRF, middleware.admin.buildHeader, controllers.admin.categories.active); + app.get('/api/admin/categories/active', middleware.requireCSRF, controllers.admin.categories.active); - app.get('/admin/categories/disabled', middleware.admin.buildHeader, controllers.admin.categories.disabled); - app.get('/api/admin/categories/disabled', controllers.admin.categories.disabled); + app.get('/admin/categories/disabled', middleware.requireCSRF, middleware.admin.buildHeader, controllers.admin.categories.disabled); + app.get('/api/admin/categories/disabled', middleware.requireCSRF, controllers.admin.categories.disabled); app.get('/admin/tags', middleware.admin.buildHeader, controllers.admin.tags.get); app.get('/api/admin/tags', controllers.admin.tags.get); diff --git a/src/routes/api.js b/src/routes/api.js index e152715beb..5a59a2387d 100644 --- a/src/routes/api.js +++ b/src/routes/api.js @@ -203,8 +203,8 @@ module.exports = function(app, middleware, controllers) { router.get('/categories/:cid/moderators', getModerators); router.get('/recent/posts/:term?', getRecentPosts); - router.post('/post/upload', uploadPost); - router.post('/topic/thumb/upload', uploadThumb); - router.post('/user/:userslug/uploadpicture', middleware.authenticate, middleware.checkGlobalPrivacySettings, middleware.checkAccountPermissions, controllers.accounts.uploadPicture); + router.post('/post/upload', middleware.requireCSRF, uploadPost); + router.post('/topic/thumb/upload', middleware.requireCSRF, uploadThumb); + router.post('/user/:userslug/uploadpicture', middleware.requireCSRF, middleware.authenticate, middleware.checkGlobalPrivacySettings, middleware.checkAccountPermissions, controllers.accounts.uploadPicture); }; diff --git a/src/routes/index.js b/src/routes/index.js index 1e3124a6ea..f53043eb17 100644 --- a/src/routes/index.js +++ b/src/routes/index.js @@ -54,11 +54,11 @@ function staticRoutes(app, middleware, controllers) { function topicRoutes(app, middleware, controllers) { app.get('/api/topic/teaser/:topic_id', controllers.topics.teaser); - app.get('/topic/:topic_id/:slug/:post_index?', middleware.buildHeader, middleware.checkPostIndex, controllers.topics.get); - app.get('/api/topic/:topic_id/:slug/:post_index?', middleware.checkPostIndex, controllers.topics.get); + app.get('/topic/:topic_id/:slug/:post_index?', middleware.requireCSRF, middleware.buildHeader, middleware.checkPostIndex, controllers.topics.get); + app.get('/api/topic/:topic_id/:slug/:post_index?', middleware.requireCSRF, middleware.checkPostIndex, controllers.topics.get); - app.get('/topic/:topic_id/:slug?', middleware.buildHeader, middleware.addSlug, controllers.topics.get); - app.get('/api/topic/:topic_id/:slug?', middleware.addSlug, controllers.topics.get); + app.get('/topic/:topic_id/:slug?', middleware.requireCSRF, middleware.buildHeader, middleware.addSlug, controllers.topics.get); + app.get('/api/topic/:topic_id/:slug?', middleware.requireCSRF, middleware.addSlug, controllers.topics.get); } function tagRoutes(app, middleware, controllers) { @@ -82,11 +82,11 @@ function categoryRoutes(app, middleware, controllers) { app.get('/api/unread/total', middleware.authenticate, controllers.categories.unreadTotal); - app.get('/category/:category_id/:slug/:topic_index', middleware.buildHeader, middleware.checkTopicIndex, controllers.categories.get); - app.get('/api/category/:category_id/:slug/:topic_index', middleware.checkTopicIndex, controllers.categories.get); + app.get('/category/:category_id/:slug/:topic_index', middleware.requireCSRF, middleware.buildHeader, middleware.checkTopicIndex, controllers.categories.get); + app.get('/api/category/:category_id/:slug/:topic_index', middleware.requireCSRF, middleware.checkTopicIndex, controllers.categories.get); - app.get('/category/:category_id/:slug?', middleware.buildHeader, middleware.addSlug, controllers.categories.get); - app.get('/api/category/:category_id/:slug?', controllers.categories.get); + app.get('/category/:category_id/:slug?', middleware.requireCSRF, middleware.buildHeader, middleware.addSlug, controllers.categories.get); + app.get('/api/category/:category_id/:slug?', middleware.requireCSRF, controllers.categories.get); } function accountRoutes(app, middleware, controllers) { @@ -108,8 +108,8 @@ function accountRoutes(app, middleware, controllers) { app.get('/user/:userslug/topics', middleware.buildHeader, middleware.checkGlobalPrivacySettings, controllers.accounts.getTopics); app.get('/api/user/:userslug/topics', middleware.checkGlobalPrivacySettings, controllers.accounts.getTopics); - app.get('/user/:userslug/edit', middleware.buildHeader, middleware.checkGlobalPrivacySettings, middleware.checkAccountPermissions, controllers.accounts.accountEdit); - app.get('/api/user/:userslug/edit', middleware.checkGlobalPrivacySettings, middleware.checkAccountPermissions, controllers.accounts.accountEdit); + app.get('/user/:userslug/edit', middleware.requireCSRF, middleware.buildHeader, middleware.checkGlobalPrivacySettings, middleware.checkAccountPermissions, controllers.accounts.accountEdit); + app.get('/api/user/:userslug/edit', middleware.requireCSRF, middleware.checkGlobalPrivacySettings, middleware.checkAccountPermissions, controllers.accounts.accountEdit); app.get('/user/:userslug/settings', middleware.buildHeader, middleware.checkGlobalPrivacySettings, middleware.checkAccountPermissions, controllers.accounts.accountSettings); app.get('/api/user/:userslug/settings', middleware.checkGlobalPrivacySettings, middleware.checkAccountPermissions, controllers.accounts.accountSettings);