From b6cc01ee98cbd75f80434250beb0ab7d1f708644 Mon Sep 17 00:00:00 2001
From: Florian Pritz <bluewind@xinu.at>
Date: Mon, 28 Jan 2019 16:02:39 +0100
Subject: Disable CSRF token regeneration for multipaste AJAX

If regeneration is on, the token is recreated after the first AJAX
submit and subsequent ajax submits or normal form submits break. By
disabling it here, we limit potential security issues to only this page,
but it also only works if the user does not submit any other forms while
they are on the AJAX page.

Signed-off-by: Florian Pritz <bluewind@xinu.at>
---
 application/core/MY_Controller.php | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'application')

diff --git a/application/core/MY_Controller.php b/application/core/MY_Controller.php
index a3b6d15d7..250c9d95c 100644
--- a/application/core/MY_Controller.php
+++ b/application/core/MY_Controller.php
@@ -117,6 +117,11 @@ class MY_Controller extends CI_Controller {
 		// 2 functions for accessing config options, really?
 		$this->config->set_item('csrf_protection', true);
 		config_item("csrf_protection", true);
+
+		if ($this->uri->uri_string() == "file/multipaste/ajax_submit") {
+			$this->config->set_item('csrf_regenerate', false);
+		}
+
 		$this->security->__construct();
 		$this->security->csrf_verify();
 	}
-- 
cgit v1.2.3-24-g4f1b