mirror of
https://github.com/the-djmaze/snappymail.git
synced 2026-07-13 03:27:39 +03:00
Also protect GET requests with token for #892
This commit is contained in:
parent
b1c9bebce6
commit
d7b5f3f4db
2 changed files with 9 additions and 2 deletions
3
dev/bootstrap.js
vendored
3
dev/bootstrap.js
vendored
|
|
@ -60,7 +60,8 @@ export default App => {
|
||||||
postData.XToken = Settings.app('token');
|
postData.XToken = Settings.app('token');
|
||||||
init.body = JSON.stringify(postData);
|
init.body = JSON.stringify(postData);
|
||||||
}
|
}
|
||||||
|
init.headers['X-SM-Token'] = Settings.app('token');
|
||||||
|
// init.headers = new Headers(init.headers);
|
||||||
return fetch(resource, init);
|
return fetch(resource, init);
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -92,7 +92,13 @@ class ServiceActions
|
||||||
throw new Exceptions\ClientException(Notifications::InvalidInputArgument, null, 'Action unknown');
|
throw new Exceptions\ClientException(Notifications::InvalidInputArgument, null, 'Action unknown');
|
||||||
}
|
}
|
||||||
|
|
||||||
if ($this->oHttp->IsPost() && ($_POST['XToken'] ?? '') !== Utils::GetCsrfToken()) {
|
$xtoken = $token = Utils::GetCsrfToken();
|
||||||
|
if (isset($_SERVER['HTTP_X_SM_TOKEN'])) {
|
||||||
|
$xtoken = $_SERVER['HTTP_X_SM_TOKEN'];
|
||||||
|
} else if ($this->oHttp->IsPost()) {
|
||||||
|
$xtoken = $_POST['XToken'] ?? '';
|
||||||
|
}
|
||||||
|
if ($xtoken !== $token) {
|
||||||
throw new Exceptions\ClientException(Notifications::InvalidToken, null, 'Token mismatch');
|
throw new Exceptions\ClientException(Notifications::InvalidToken, null, 'Token mismatch');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue