mirror of
https://github.com/NodeBB/NodeBB.git
synced 2025-11-02 03:55:55 +01:00
Merge branch 'csrf-excision' into hashtalk
This commit is contained in:
Julian Lam
@@ -160,9 +160,7 @@ var socket,
|
||||
};
|
||||
|
||||
app.logout = function() {
|
||||
$.post(RELATIVE_PATH + '/logout', {
|
||||
_csrf: $('#csrf_token').val()
|
||||
}, function() {
|
||||
$.post(RELATIVE_PATH + '/logout', function() {
|
||||
window.location.href = RELATIVE_PATH + '/';
|
||||
});
|
||||
};
|
||||
|
||||
@@ -203,7 +203,7 @@ define('forum/admin/categories', ['uploader', 'forum/admin/iconSelect'], functio
|
||||
var inputEl = $(this),
|
||||
cid = inputEl.parents('li[data-cid]').attr('data-cid');
|
||||
|
||||
uploader.open(RELATIVE_PATH + '/admin/category/uploadpicture', {cid: cid}, 0, function(imageUrlOnServer) {
|
||||
uploader.open(RELATIVE_PATH + '/admin/category/uploadpicture', { cid: cid }, 0, function(imageUrlOnServer) {
|
||||
inputEl.val(imageUrlOnServer);
|
||||
var previewBox = inputEl.parents('li[data-cid]').find('.preview-box');
|
||||
previewBox.css('background', 'url(' + imageUrlOnServer + '?' + new Date().getTime() + ')')
|
||||
|
||||
@@ -17,9 +17,7 @@ define('forum/admin/index', ['semver'], function(semver) {
|
||||
}, 3000);
|
||||
|
||||
$('#logout-link').on('click', function() {
|
||||
$.post(RELATIVE_PATH + '/logout', {
|
||||
_csrf: $('#csrf_token').val()
|
||||
}, function() {
|
||||
$.post(RELATIVE_PATH + '/logout', function() {
|
||||
window.location.href = RELATIVE_PATH + '/';
|
||||
});
|
||||
});
|
||||
|
||||
@@ -235,10 +235,10 @@ define('composer/uploads', ['composer/preview'], function(preview) {
|
||||
textarea.val(current.replace(re, filename + '](' + text + ')'));
|
||||
}
|
||||
|
||||
$(this).find('#postUploadCsrf').val($('#csrf_token').val());
|
||||
$(this).find('#postUploadCsrf').val($('#csrf').attr('data-csrf'));
|
||||
|
||||
if (formData) {
|
||||
formData.append('_csrf', $('#csrf_token').val());
|
||||
formData.append('_csrf', $('#csrf').attr('data-csrf'));
|
||||
}
|
||||
|
||||
uploads.inProgress[post_uuid] = uploads.inProgress[post_uuid] || [];
|
||||
@@ -291,7 +291,7 @@ define('composer/uploads', ['composer/preview'], function(preview) {
|
||||
thumbForm.attr('action', params.route);
|
||||
|
||||
thumbForm.off('submit').submit(function() {
|
||||
var csrf = $('#csrf_token').val();
|
||||
var csrf = $('#csrf').attr('data-csrf');
|
||||
$(this).find('#thumbUploadCsrf').val(csrf);
|
||||
|
||||
if(formData) {
|
||||
|
||||
@@ -19,6 +19,7 @@ define('uploader', function() {
|
||||
uploadForm[0].reset();
|
||||
uploadForm.attr('action', route);
|
||||
uploadForm.find('#params').val(JSON.stringify(params));
|
||||
uploadForm.find('#csrfToken').val($('#csrf').attr('data-csrf'));
|
||||
|
||||
if(fileSize) {
|
||||
uploadForm.find('#upload-file-size').html(fileSize);
|
||||
@@ -58,9 +59,6 @@ define('uploader', function() {
|
||||
return false;
|
||||
}
|
||||
|
||||
$(this).find('#imageUploadCsrf').val($('#csrf_token').val());
|
||||
|
||||
|
||||
$(this).ajaxSubmit({
|
||||
error: function(xhr) {
|
||||
xhr = maybeParse(xhr);
|
||||
|
||||
@@ -337,6 +337,8 @@ accountsController.accountEdit = function(req, res, next) {
|
||||
return next(err);
|
||||
}
|
||||
|
||||
userData.csrf = req.csrfToken();
|
||||
|
||||
res.render('account/edit', userData);
|
||||
});
|
||||
};
|
||||
|
||||
@@ -143,7 +143,10 @@ function filterAndRenderCategories(req, res, next, active) {
|
||||
return active ? !category.disabled : category.disabled;
|
||||
});
|
||||
|
||||
res.render('admin/categories', {categories: categoryData});
|
||||
res.render('admin/categories', {
|
||||
categories: categoryData,
|
||||
csrf: req.csrfToken()
|
||||
});
|
||||
});
|
||||
}
|
||||
|
||||
@@ -197,7 +200,9 @@ adminController.languages.get = function(req, res, next) {
|
||||
};
|
||||
|
||||
adminController.settings.get = function(req, res, next) {
|
||||
res.render('admin/settings', {});
|
||||
res.render('admin/settings', {
|
||||
'csrf': req.csrfToken()
|
||||
});
|
||||
};
|
||||
|
||||
adminController.logger.get = function(req, res, next) {
|
||||
|
||||
@@ -189,6 +189,7 @@ categoriesController.get = function(req, res, next) {
|
||||
|
||||
data.currentPage = page;
|
||||
data['feeds:disableRSS'] = meta.config['feeds:disableRSS'] === '1' ? true : false;
|
||||
data.csrf = req.csrfToken();
|
||||
|
||||
// Paginator for noscript
|
||||
data.pages = [];
|
||||
|
||||
@@ -142,7 +142,7 @@ Controllers.login = function(req, res, next) {
|
||||
|
||||
data.alternate_logins = num_strategies > 0;
|
||||
data.authentication = login_strategies;
|
||||
data.token = res.locals.csrf_token;
|
||||
data.token = req.csrfToken();
|
||||
data.showResetLink = emailersPresent;
|
||||
data.allowLocalLogin = meta.config.allowLocalLogin === undefined || parseInt(meta.config.allowLocalLogin, 10) === 1;
|
||||
data.allowRegistration = meta.config.allowRegistration;
|
||||
@@ -171,7 +171,7 @@ Controllers.register = function(req, res, next) {
|
||||
|
||||
data.authentication = login_strategies;
|
||||
|
||||
data.token = res.locals.csrf_token;
|
||||
data.token = req.csrfToken();
|
||||
data.minimumUsernameLength = meta.config.minimumUsernameLength;
|
||||
data.maximumUsernameLength = meta.config.maximumUsernameLength;
|
||||
data.minimumPasswordLength = meta.config.minimumPasswordLength;
|
||||
|
||||
@@ -198,6 +198,7 @@ topicsController.get = function(req, res, next) {
|
||||
data['reputation:disabled'] = parseInt(meta.config['reputation:disabled'], 10) === 1;
|
||||
data['downvote:disabled'] = parseInt(meta.config['downvote:disabled'], 10) === 1;
|
||||
data['feeds:disableRSS'] = parseInt(meta.config['feeds:disableRSS'], 10) === 1;
|
||||
data.csrf = req.csrfToken();
|
||||
|
||||
var topic_url = tid + (req.params.slug ? '/' + req.params.slug : '');
|
||||
var queryString = qs.stringify(req.query);
|
||||
|
||||
@@ -61,7 +61,7 @@ middleware.buildHeader = function(req, res, next) {
|
||||
}
|
||||
}, function(err, pluginData) {
|
||||
var data = {
|
||||
csrf: res.locals.csrf_token,
|
||||
csrf: req.csrfToken ? req.csrfToken() : undefined,
|
||||
relative_path: nconf.get('relative_path'),
|
||||
plugins: pluginData.custom_header.plugins,
|
||||
authentication: pluginData.custom_header.authentication,
|
||||
|
||||
@@ -20,7 +20,6 @@ var utils = require('./../../public/src/utils'),
|
||||
compression = require('compression'),
|
||||
favicon = require('serve-favicon'),
|
||||
multipart = require('connect-multiparty'),
|
||||
csrf = require('csurf'),
|
||||
session = require('express-session'),
|
||||
cluster = require('cluster'),
|
||||
|
||||
@@ -116,10 +115,8 @@ module.exports = function(app, data) {
|
||||
}));
|
||||
|
||||
app.use(multipart());
|
||||
app.use(csrf());
|
||||
|
||||
app.use(function (req, res, next) {
|
||||
res.locals.csrf_token = req.csrfToken();
|
||||
res.setHeader('X-Powered-By', 'NodeBB');
|
||||
|
||||
res.setHeader('X-Frame-Options', 'SAMEORIGIN');
|
||||
|
||||
@@ -16,6 +16,7 @@ var app,
|
||||
topics = require('./../topics'),
|
||||
messaging = require('../messaging'),
|
||||
ensureLoggedIn = require('connect-ensure-login'),
|
||||
csrf = require('csurf'),
|
||||
|
||||
controllers = {
|
||||
api: require('./../controllers/api')
|
||||
@@ -33,6 +34,8 @@ middleware.authenticate = function(req, res, next) {
|
||||
}
|
||||
};
|
||||
|
||||
middleware.requireCSRF = csrf();
|
||||
|
||||
middleware.ensureLoggedIn = ensureLoggedIn.ensureLoggedIn();
|
||||
|
||||
middleware.updateLastOnlineTime = function(req, res, next) {
|
||||
@@ -278,7 +281,7 @@ middleware.renderHeader = function(req, res, callback) {
|
||||
'cache-buster': meta.config['cache-buster'] ? 'v=' + meta.config['cache-buster'] : '',
|
||||
'brand:logo': meta.config['brand:logo'] || '',
|
||||
'brand:logo:display': meta.config['brand:logo']?'':'hide',
|
||||
csrf: res.locals.csrf_token,
|
||||
csrf: req.csrfToken ? req.csrfToken() : undefined,
|
||||
navigation: custom_header.navigation,
|
||||
allowRegistration: meta.config.allowRegistration === undefined || parseInt(meta.config.allowRegistration, 10) === 1,
|
||||
searchEnabled: plugins.hasListeners('filter:search.query')
|
||||
|
||||
@@ -9,8 +9,8 @@ function mainRoutes(app, middleware, controllers) {
|
||||
app.get('/admin/plugins', middleware.admin.buildHeader, controllers.admin.plugins.get);
|
||||
app.get('/api/admin/plugins', controllers.admin.plugins.get);
|
||||
|
||||
app.get('/admin/settings', middleware.admin.buildHeader, controllers.admin.settings.get);
|
||||
app.get('/api/admin/settings', controllers.admin.settings.get);
|
||||
app.get('/admin/settings', middleware.requireCSRF, middleware.admin.buildHeader, controllers.admin.settings.get);
|
||||
app.get('/api/admin/settings', middleware.requireCSRF, controllers.admin.settings.get);
|
||||
|
||||
app.get('/admin/themes', middleware.admin.buildHeader, controllers.admin.themes.get);
|
||||
app.get('/api/admin/themes', controllers.admin.themes.get);
|
||||
@@ -43,11 +43,11 @@ function userRoutes(app, middleware, controllers) {
|
||||
}
|
||||
|
||||
function forumRoutes(app, middleware, controllers) {
|
||||
app.get('/admin/categories/active', middleware.admin.buildHeader, controllers.admin.categories.active);
|
||||
app.get('/api/admin/categories/active', controllers.admin.categories.active);
|
||||
app.get('/admin/categories/active', middleware.requireCSRF, middleware.admin.buildHeader, controllers.admin.categories.active);
|
||||
app.get('/api/admin/categories/active', middleware.requireCSRF, controllers.admin.categories.active);
|
||||
|
||||
app.get('/admin/categories/disabled', middleware.admin.buildHeader, controllers.admin.categories.disabled);
|
||||
app.get('/api/admin/categories/disabled', controllers.admin.categories.disabled);
|
||||
app.get('/admin/categories/disabled', middleware.requireCSRF, middleware.admin.buildHeader, controllers.admin.categories.disabled);
|
||||
app.get('/api/admin/categories/disabled', middleware.requireCSRF, controllers.admin.categories.disabled);
|
||||
|
||||
app.get('/admin/tags', middleware.admin.buildHeader, controllers.admin.tags.get);
|
||||
app.get('/api/admin/tags', controllers.admin.tags.get);
|
||||
@@ -57,10 +57,10 @@ function apiRoutes(app, middleware, controllers) {
|
||||
// todo, needs to be in api namespace
|
||||
app.get('/admin/users/csv', middleware.authenticate, controllers.admin.users.getCSV);
|
||||
|
||||
app.post('/admin/category/uploadpicture', middleware.authenticate, controllers.admin.uploads.uploadCategoryPicture);
|
||||
app.post('/admin/uploadfavicon', middleware.authenticate, controllers.admin.uploads.uploadFavicon);
|
||||
app.post('/admin/uploadlogo', middleware.authenticate, controllers.admin.uploads.uploadLogo);
|
||||
app.post('/admin/uploadgravatardefault', middleware.authenticate, controllers.admin.uploads.uploadGravatarDefault);
|
||||
app.post('/admin/category/uploadpicture', middleware.requireCSRF, middleware.authenticate, controllers.admin.uploads.uploadCategoryPicture);
|
||||
app.post('/admin/uploadfavicon', middleware.requireCSRF, middleware.authenticate, controllers.admin.uploads.uploadFavicon);
|
||||
app.post('/admin/uploadlogo', middleware.requireCSRF, middleware.authenticate, controllers.admin.uploads.uploadLogo);
|
||||
app.post('/admin/uploadgravatardefault', middleware.requireCSRF, middleware.authenticate, controllers.admin.uploads.uploadGravatarDefault);
|
||||
}
|
||||
|
||||
function miscRoutes(app, middleware, controllers) {
|
||||
|
||||
@@ -203,8 +203,8 @@ module.exports = function(app, middleware, controllers) {
|
||||
router.get('/categories/:cid/moderators', getModerators);
|
||||
router.get('/recent/posts/:term?', getRecentPosts);
|
||||
|
||||
router.post('/post/upload', uploadPost);
|
||||
router.post('/topic/thumb/upload', uploadThumb);
|
||||
router.post('/user/:userslug/uploadpicture', middleware.authenticate, middleware.checkGlobalPrivacySettings, middleware.checkAccountPermissions, controllers.accounts.uploadPicture);
|
||||
router.post('/post/upload', middleware.requireCSRF, uploadPost);
|
||||
router.post('/topic/thumb/upload', middleware.requireCSRF, uploadThumb);
|
||||
router.post('/user/:userslug/uploadpicture', middleware.requireCSRF, middleware.authenticate, middleware.checkGlobalPrivacySettings, middleware.checkAccountPermissions, controllers.accounts.uploadPicture);
|
||||
|
||||
};
|
||||
|
||||
@@ -197,8 +197,8 @@
|
||||
/* End backwards compatibility block */
|
||||
|
||||
app.post('/logout', logout);
|
||||
app.post('/register', register);
|
||||
app.post('/login', login);
|
||||
app.post('/register', middleware.requireCSRF, register);
|
||||
app.post('/login', middleware.requireCSRF, login);
|
||||
});
|
||||
});
|
||||
};
|
||||
|
||||
@@ -21,11 +21,11 @@ function mainRoutes(app, middleware, controllers) {
|
||||
app.get('/', middleware.buildHeader, controllers.home);
|
||||
app.get('/api', controllers.home);
|
||||
|
||||
app.get('/login', middleware.redirectToAccountIfLoggedIn, middleware.buildHeader, controllers.login);
|
||||
app.get('/api/login', middleware.redirectToAccountIfLoggedIn, controllers.login);
|
||||
app.get('/login', middleware.requireCSRF, middleware.redirectToAccountIfLoggedIn, middleware.buildHeader, controllers.login);
|
||||
app.get('/api/login', middleware.requireCSRF, middleware.redirectToAccountIfLoggedIn, controllers.login);
|
||||
|
||||
app.get('/register', middleware.redirectToAccountIfLoggedIn, middleware.buildHeader, controllers.register);
|
||||
app.get('/api/register', middleware.redirectToAccountIfLoggedIn, controllers.register);
|
||||
app.get('/register', middleware.requireCSRF, middleware.redirectToAccountIfLoggedIn, middleware.buildHeader, controllers.register);
|
||||
app.get('/api/register', middleware.requireCSRF, middleware.redirectToAccountIfLoggedIn, controllers.register);
|
||||
|
||||
app.get('/confirm/:code', middleware.buildHeader, controllers.confirmEmail);
|
||||
app.get('/api/confirm/:code', controllers.confirmEmail);
|
||||
@@ -54,11 +54,11 @@ function staticRoutes(app, middleware, controllers) {
|
||||
function topicRoutes(app, middleware, controllers) {
|
||||
app.get('/api/topic/teaser/:topic_id', controllers.topics.teaser);
|
||||
|
||||
app.get('/topic/:topic_id/:slug/:post_index?', middleware.buildHeader, middleware.checkPostIndex, controllers.topics.get);
|
||||
app.get('/api/topic/:topic_id/:slug/:post_index?', middleware.checkPostIndex, controllers.topics.get);
|
||||
app.get('/topic/:topic_id/:slug/:post_index?', middleware.requireCSRF, middleware.buildHeader, middleware.checkPostIndex, controllers.topics.get);
|
||||
app.get('/api/topic/:topic_id/:slug/:post_index?', middleware.requireCSRF, middleware.checkPostIndex, controllers.topics.get);
|
||||
|
||||
app.get('/topic/:topic_id/:slug?', middleware.buildHeader, middleware.addSlug, controllers.topics.get);
|
||||
app.get('/api/topic/:topic_id/:slug?', middleware.addSlug, controllers.topics.get);
|
||||
app.get('/topic/:topic_id/:slug?', middleware.requireCSRF, middleware.buildHeader, middleware.addSlug, controllers.topics.get);
|
||||
app.get('/api/topic/:topic_id/:slug?', middleware.requireCSRF, middleware.addSlug, controllers.topics.get);
|
||||
}
|
||||
|
||||
function tagRoutes(app, middleware, controllers) {
|
||||
@@ -82,11 +82,11 @@ function categoryRoutes(app, middleware, controllers) {
|
||||
|
||||
app.get('/api/unread/total', middleware.authenticate, controllers.categories.unreadTotal);
|
||||
|
||||
app.get('/category/:category_id/:slug/:topic_index', middleware.buildHeader, middleware.checkTopicIndex, controllers.categories.get);
|
||||
app.get('/api/category/:category_id/:slug/:topic_index', middleware.checkTopicIndex, controllers.categories.get);
|
||||
app.get('/category/:category_id/:slug/:topic_index', middleware.requireCSRF, middleware.buildHeader, middleware.checkTopicIndex, controllers.categories.get);
|
||||
app.get('/api/category/:category_id/:slug/:topic_index', middleware.requireCSRF, middleware.checkTopicIndex, controllers.categories.get);
|
||||
|
||||
app.get('/category/:category_id/:slug?', middleware.buildHeader, middleware.addSlug, controllers.categories.get);
|
||||
app.get('/api/category/:category_id/:slug?', controllers.categories.get);
|
||||
app.get('/category/:category_id/:slug?', middleware.requireCSRF, middleware.buildHeader, middleware.addSlug, controllers.categories.get);
|
||||
app.get('/api/category/:category_id/:slug?', middleware.requireCSRF, controllers.categories.get);
|
||||
}
|
||||
|
||||
function accountRoutes(app, middleware, controllers) {
|
||||
@@ -108,8 +108,8 @@ function accountRoutes(app, middleware, controllers) {
|
||||
app.get('/user/:userslug/topics', middleware.buildHeader, middleware.checkGlobalPrivacySettings, controllers.accounts.getTopics);
|
||||
app.get('/api/user/:userslug/topics', middleware.checkGlobalPrivacySettings, controllers.accounts.getTopics);
|
||||
|
||||
app.get('/user/:userslug/edit', middleware.buildHeader, middleware.checkGlobalPrivacySettings, middleware.checkAccountPermissions, controllers.accounts.accountEdit);
|
||||
app.get('/api/user/:userslug/edit', middleware.checkGlobalPrivacySettings, middleware.checkAccountPermissions, controllers.accounts.accountEdit);
|
||||
app.get('/user/:userslug/edit', middleware.requireCSRF, middleware.buildHeader, middleware.checkGlobalPrivacySettings, middleware.checkAccountPermissions, controllers.accounts.accountEdit);
|
||||
app.get('/api/user/:userslug/edit', middleware.requireCSRF, middleware.checkGlobalPrivacySettings, middleware.checkAccountPermissions, controllers.accounts.accountEdit);
|
||||
|
||||
app.get('/user/:userslug/settings', middleware.buildHeader, middleware.checkGlobalPrivacySettings, middleware.checkAccountPermissions, controllers.accounts.accountSettings);
|
||||
app.get('/api/user/:userslug/settings', middleware.checkGlobalPrivacySettings, middleware.checkAccountPermissions, controllers.accounts.accountSettings);
|
||||
|
||||
Reference in New Issue
Block a user