mirror of
https://github.com/the-djmaze/snappymail.git
synced 2026-07-10 06:58:27 +03:00
Also protect GET requests with token for #892
This commit is contained in:
parent
b1c9bebce6
commit
d7b5f3f4db
2 changed files with 9 additions and 2 deletions
3
dev/bootstrap.js
vendored
3
dev/bootstrap.js
vendored
|
|
@ -60,7 +60,8 @@ export default App => {
|
|||
postData.XToken = Settings.app('token');
|
||||
init.body = JSON.stringify(postData);
|
||||
}
|
||||
|
||||
init.headers['X-SM-Token'] = Settings.app('token');
|
||||
// init.headers = new Headers(init.headers);
|
||||
return fetch(resource, init);
|
||||
};
|
||||
|
||||
|
|
|
|||
|
|
@ -92,7 +92,13 @@ class ServiceActions
|
|||
throw new Exceptions\ClientException(Notifications::InvalidInputArgument, null, 'Action unknown');
|
||||
}
|
||||
|
||||
if ($this->oHttp->IsPost() && ($_POST['XToken'] ?? '') !== Utils::GetCsrfToken()) {
|
||||
$xtoken = $token = Utils::GetCsrfToken();
|
||||
if (isset($_SERVER['HTTP_X_SM_TOKEN'])) {
|
||||
$xtoken = $_SERVER['HTTP_X_SM_TOKEN'];
|
||||
} else if ($this->oHttp->IsPost()) {
|
||||
$xtoken = $_POST['XToken'] ?? '';
|
||||
}
|
||||
if ($xtoken !== $token) {
|
||||
throw new Exceptions\ClientException(Notifications::InvalidToken, null, 'Token mismatch');
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue