Skip to content

Commit

Permalink
Merge pull request #47446 from nextcloud/backport/44369/stable27
Browse files Browse the repository at this point in the history
 [stable27] fix: csrf check failed on public share with password
  • Loading branch information
blizzz authored Aug 23, 2024
2 parents 15c98cb + bbb998d commit 2db5d06
Show file tree
Hide file tree
Showing 4 changed files with 27 additions and 8 deletions.
19 changes: 19 additions & 0 deletions core/src/main.js
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,8 @@ import './globals.js'
import './jquery/index.js'
import { initCore } from './init.js'
import { getRequestToken } from '@nextcloud/auth'
import { generateUrl } from '@nextcloud/router'
import Axios from '@nextcloud/axios'

// eslint-disable-next-line camelcase
__webpack_nonce__ = btoa(getRequestToken())
Expand All @@ -52,3 +54,20 @@ window.addEventListener('DOMContentLoaded', function() {
$(window).on('hashchange', _.bind(OC.Util.History._onPopState, OC.Util.History))
}
})

// Fix error "CSRF check failed"
document.addEventListener('DOMContentLoaded', function() {
const form = document.getElementById('password-input-form')
if (form) {
form.addEventListener('submit', async function(event) {
event.preventDefault()
const requestToken = document.getElementById('requesttoken')
if (requestToken) {
const url = generateUrl('/csrftoken')
const resp = await Axios.get(url)
requestToken.value = resp.data.token
}
form.submit()
})
}
})
10 changes: 5 additions & 5 deletions core/templates/publicshareauth.php
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@
<?php endif; ?>
<p>
<label for="password" class="infield"><?php p($l->t('Password')); ?></label>
<input type="hidden" name="requesttoken" value="<?php p($_['requesttoken']) ?>" />
<input type="hidden" id="requesttoken" name="requesttoken" value="<?php p($_['requesttoken']) ?>" />
<input type="password" name="password" id="password"
placeholder="<?php p($l->t('Password')); ?>" value=""
autocomplete="new-password" autocapitalize="off" autocorrect="off"
Expand All @@ -34,7 +34,7 @@ class="svg icon-confirm input-button-inline" value="" disabled="disabled" />
</p>
</fieldset>
</form>

<!-- email prompt form. It should initially be hidden -->
<?php if (isset($_['identityOk'])): ?>
<form method="post" id="email-input-form">
Expand All @@ -46,7 +46,7 @@ class="svg icon-confirm input-button-inline" value="" disabled="disabled" />
<p>
<input type="email" id="email" name="identityToken" placeholder="<?php p($l->t('Email address')); ?>" />
<input type="submit" id="password-request" name="passwordRequest" class="svg icon-confirm input-button-inline" value="" disabled="disabled"/>
<input type="hidden" name="requesttoken" value="<?php p($_['requesttoken']) ?>" />
<input type="hidden" id="requesttoken" name="requesttoken" value="<?php p($_['requesttoken']) ?>" />
<input type="hidden" name="sharingToken" value="<?php p($_['share']->getToken()) ?>" id="sharingToken">
<input type="hidden" name="sharingType" value="<?php p($_['share']->getShareType()) ?>" id="sharingType">
</p>
Expand All @@ -59,12 +59,12 @@ class="svg icon-confirm input-button-inline" value="" disabled="disabled" />
<?php endif; ?>
</fieldset>
</form>

<!-- request password button -->
<?php if (!isset($_['identityOk']) && $_['share']->getShareType() === $_['share']::TYPE_EMAIL && !$_['share']->getSendPasswordByTalk()): ?>
<a id="request-password-button-not-talk"><?php p($l->t('Forgot password?')); ?></a>
<?php endif; ?>

<!-- back to showShare button -->
<form method="get">
<fieldset>
Expand Down
4 changes: 2 additions & 2 deletions dist/core-main.js

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion dist/core-main.js.map

Large diffs are not rendered by default.

0 comments on commit 2db5d06

Please sign in to comment.