diff options
author | Florian Pritz <bluewind@xinu.at> | 2019-01-28 16:02:39 +0100 |
---|---|---|
committer | Florian Pritz <bluewind@xinu.at> | 2019-01-28 17:27:26 +0100 |
commit | b6cc01ee98cbd75f80434250beb0ab7d1f708644 (patch) | |
tree | a7527c851db9076e480d9b9fcd26e934887120e7 | |
parent | 7d0557f9c79c130c4de0f8af810d0881d19c58d0 (diff) |
Disable CSRF token regeneration for multipaste AJAX
If regeneration is on, the token is recreated after the first AJAX
submit and subsequent ajax submits or normal form submits break. By
disabling it here, we limit potential security issues to only this page,
but it also only works if the user does not submit any other forms while
they are on the AJAX page.
Signed-off-by: Florian Pritz <bluewind@xinu.at>
-rw-r--r-- | NEWS | 1 | ||||
-rw-r--r-- | application/core/MY_Controller.php | 5 |
2 files changed, 6 insertions, 0 deletions
@@ -1,6 +1,7 @@ This file lists major, incompatible or otherwise important changes, you should look at it after every update. NEXT + - Fix CSRF issue breaking multipaste creation page - Update codeigniter to 3.1.10 - Remove imagemagick PDF thumbnail support due to Arch Linux disabling it in imagemagick due to repeated security concerns. diff --git a/application/core/MY_Controller.php b/application/core/MY_Controller.php index a3b6d15d7..250c9d95c 100644 --- a/application/core/MY_Controller.php +++ b/application/core/MY_Controller.php @@ -117,6 +117,11 @@ class MY_Controller extends CI_Controller { // 2 functions for accessing config options, really? $this->config->set_item('csrf_protection', true); config_item("csrf_protection", true); + + if ($this->uri->uri_string() == "file/multipaste/ajax_submit") { + $this->config->set_item('csrf_regenerate', false); + } + $this->security->__construct(); $this->security->csrf_verify(); } |