upstream/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/server.git synced 2026-05-19 08:25:56 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 11

Merge pull request #47446 from nextcloud/backport/44369/stable27

Browse source 
[stable27] fix: csrf check failed on public share with password
This commit is contained in:
Arthur Schiwon 2024-08-23 14:54:57 +02:00 committed by GitHub
commit 2db5d062ef
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 27 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
core/src/main.js
View file

@ -37,6 +37,8 @@ import './globals.js'
import './jquery/index.js'
import { initCore } from './init.js'
import { getRequestToken } from '@nextcloud/auth'
import { generateUrl } from '@nextcloud/router'
import Axios from '@nextcloud/axios'
// eslint-disable-next-line camelcase
__webpack_nonce__ = btoa(getRequestToken())
@ -52,3 +54,20 @@ window.addEventListener('DOMContentLoaded', function() {
$(window).on('hashchange', _.bind(OC.Util.History._onPopState, OC.Util.History))
}
})
// Fix error "CSRF check failed"
document.addEventListener('DOMContentLoaded', function() {
const form = document.getElementById('password-input-form')
if (form) {
form.addEventListener('submit', async function(event) {
event.preventDefault()
const requestToken = document.getElementById('requesttoken')
if (requestToken) {
const url = generateUrl('/csrftoken')
const resp = await Axios.get(url)
requestToken.value = resp.data.token
}
form.submit()
})
}
})

10
core/templates/publicshareauth.php
View file

@ -22,7 +22,7 @@
<?php endif; ?>
<p>
<label for="password" class="infield"><?php p($l->t('Password')); ?></label>
<input type="hidden" name="requesttoken" value="<?php p($_['requesttoken']) ?>" />
<input type="hidden" id="requesttoken" name="requesttoken" value="<?php p($_['requesttoken']) ?>" />
<input type="password" name="password" id="password"
placeholder="<?php p($l->t('Password')); ?>" value=""
autocomplete="new-password" autocapitalize="off" autocorrect="off"
@ -34,7 +34,7 @@
</p>
</fieldset>
</form>
<!-- email prompt form. It should initially be hidden -->
<?php if (isset($_['identityOk'])): ?>
<form method="post" id="email-input-form">
@ -46,7 +46,7 @@
<p>
<input type="email" id="email" name="identityToken" placeholder="<?php p($l->t('Email address')); ?>" />
<input type="submit" id="password-request" name="passwordRequest" class="svg icon-confirm input-button-inline" value="" disabled="disabled"/>
<input type="hidden" name="requesttoken" value="<?php p($_['requesttoken']) ?>" />
<input type="hidden" id="requesttoken" name="requesttoken" value="<?php p($_['requesttoken']) ?>" />
<input type="hidden" name="sharingToken" value="<?php p($_['share']->getToken()) ?>" id="sharingToken">
<input type="hidden" name="sharingType" value="<?php p($_['share']->getShareType()) ?>" id="sharingType">
</p>
@ -59,12 +59,12 @@
<?php endif; ?>
</fieldset>
</form>
<!-- request password button -->
<?php if (!isset($_['identityOk']) && $_['share']->getShareType() === $_['share']::TYPE_EMAIL && !$_['share']->getSendPasswordByTalk()): ?>
<a id="request-password-button-not-talk"><?php p($l->t('Forgot password?')); ?></a>
<?php endif; ?>
<!-- back to showShare button -->
<form method="get">
<fieldset>

4
dist/core-main.js vendored
View file

File diff suppressed because one or more lines are too long

2
dist/core-main.js.map vendored
View file

File diff suppressed because one or more lines are too long