WEBLIB.RE/vpnclient_ynh
1
0
Fork 0
Code Issues Pull Requests Releases 1 Wiki Activity

CSRF protection (#44)

Browse Source
This commit is contained in:
Gabriel Corona
2018-11-25 21:25:27 +01:00
committed by pitchum
parent d452b139d7
commit d8a5cc54f6
3 changed files with 34 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
conf/ynh-vpnclient-loadcubefile.sh
View File

@@ -96,7 +96,7 @@ fi
# Upload cube file # Upload cube file
output=$(curl -kL -F "service_enabled=${ynh_service_enabled}" -F _method=put -F "cubefile=@${cubefile_path}" "https://${ynh_domain}/${ynh_path}/?/settings" --resolve "${ynh_domain}:443:127.0.0.1" -b "${tmpdir}/cookies" 2> /dev/null | grep RETURN_MSG | sed 's/<!-- RETURN_MSG -->//' | sed 's/<\/?[^>]\+>//g' | sed 's/^ \+//g') output=$(curl -kL -H "X-Requested-With: yunohost-config" -F "service_enabled=${ynh_service_enabled}" -F _method=put -F "cubefile=@${cubefile_path}" "https://${ynh_domain}/${ynh_path}/?/settings" --resolve "${ynh_domain}:443:127.0.0.1" -b "${tmpdir}/cookies" 2> /dev/null | grep RETURN_MSG | sed 's/<!-- RETURN_MSG -->//' | sed 's/<\/?[^>]\+>//g' | sed 's/^ \+//g')
# Configure IPv6 Delegated Prefix on Hotspot # Configure IPv6 Delegated Prefix on Hotspot

5
sources/controller.php
View File

@@ -117,6 +117,11 @@ dispatch('/', function() {
}); });
dispatch_put('/settings', function() { dispatch_put('/settings', function() {
if(!isset($_SERVER['HTTP_X_REQUESTED_WITH'])) {
throw new Exception('CSRF protection');
}
$service_enabled = isset($_POST['service_enabled']) ? 1 : 0; $service_enabled = isset($_POST['service_enabled']) ? 1 : 0;
if($service_enabled == 1) { if($service_enabled == 1) {

32
sources/public/js/custom.js
View File

@@ -28,7 +28,7 @@ function tabsClick() {
return false; return false;
} }
$(document).ready(function() { function ready() {
$('.btn-group').button(); $('.btn-group').button();
$('[data-toggle="tooltip"]').tooltip(); $('[data-toggle="tooltip"]').tooltip();
@@ -73,11 +73,31 @@ $(document).ready(function() {
$(choosertxtid).val($(this).val().replace(/^.*[\/\\]/, '')); $(choosertxtid).val($(this).val().replace(/^.*[\/\\]/, ''));
}); });
$('#save').click(function() { $('#form').on("submit", function(event) {
$(this).prop('disabled', true); event.preventDefault()
$('#save').prop('disabled', true);
$('#save-loading').show(); $('#save-loading').show();
$('#form').submit(); $.ajax({
url: this.action,
type: this.method,
contentType: false,
processData: false,
cache: false,
data: new FormData(this),
headers: {
'X-Requested-With': 'jQuery',
},
dataType: "html",
success: function(data){
document.body.innerHTML = new DOMParser().parseFromString(data, "text/html").body.innerHTML
ready()
},
error: function() {
$('#save').prop('disabled', false);
$('#save-loading').hide();
},
}); });
})
$('#status .close').click(function() { $('#status .close').click(function() {
$(this).parent().hide(); $(this).parent().hide();
@@ -110,4 +130,6 @@ $(document).ready(function() {
$('.enabled').show('slow'); $('.enabled').show('slow');
} }
}); });
}); }
$(document).ready(ready)