From 1c1b4b19e132675c260335a957aa43ad8394e0a5 Mon Sep 17 00:00:00 2001 From: Hannes Mannerheim Date: Tue, 17 Jan 2017 16:53:46 +0100 Subject: [PATCH] revert the crappy csrf fix. already fixed by @mmn in newer gnusocial. --- QvitterPlugin.php | 28 ---------------------------- actions/qvitter.php | 9 --------- actions/qvitterlogin.php | 11 ----------- js/ajax-functions.js | 33 --------------------------------- js/misc-functions.js | 12 ------------ js/qvitter.js | 18 ------------------ 6 files changed, 111 deletions(-) diff --git a/QvitterPlugin.php b/QvitterPlugin.php index 8ebeae5..e1540da 100644 --- a/QvitterPlugin.php +++ b/QvitterPlugin.php @@ -422,16 +422,6 @@ class QvitterPlugin extends Plugin { } - /** - * Remove CSRF cookie on logout - * - */ - - function onEndLogout($action) { - common_set_cookie('Qvitter-CSRF', '', 0); - return true; - } - /** * Add script to default ui, to be able to toggle Qvitter with one click @@ -1295,24 +1285,6 @@ class QvitterPlugin extends Plugin { */ public function onEndSetApiUser($user) { - // if we're POST:ing and are logged in using a regular session (i.e. not basic auth or oauth) - // check that we have a correct csrf cookie and header, otherwise deny - if(common_logged_in() && $_SERVER['REQUEST_METHOD'] === 'POST') { - if(!isset($_COOKIE['Qvitter-CSRF'])) { - throw new ServerException(_('Error setting user. Missing authorization cookie data. Please logout and login again.')); - } - $csrf_token = sha1(common_config('qvitter', 'appid').session_id()); - if($_COOKIE['Qvitter-CSRF'] != $csrf_token) { - throw new ServerException(_('Error setting user. Invalid authorization cookie data. Please logout and login again.')); - } - if(!isset($_SERVER['HTTP_X_QVITTER_CSRF'])) { - throw new ServerException(_('Error setting user. Missing authorization header data. Please logout and login again.')); - } - if($_SERVER['HTTP_X_QVITTER_CSRF'] != $csrf_token) { - throw new ServerException(_('Error setting user. Invalid authorization header data. Please logout and login again.')); - } - } - // cleanup sessions, to allow for simultaneous http-requests, // e.g. if posting a notice takes a very long time Session::cleanup(); diff --git a/actions/qvitter.php b/actions/qvitter.php index 61ad204..5b8e790 100644 --- a/actions/qvitter.php +++ b/actions/qvitter.php @@ -45,15 +45,6 @@ class QvitterAction extends ApiAction { parent::prepare($args); - // if we're logged in but we have missing or incorrect csrf cookie, logout - if(common_logged_in()) { - $csrf_token = sha1(common_config('qvitter', 'appid').session_id()); - if(!isset($_COOKIE['Qvitter-CSRF']) || $_COOKIE['Qvitter-CSRF'] != $csrf_token) { - header('Location: '.common_path('').'main/logout'); - die(); - } - } - $user = common_current_user(); return true; diff --git a/actions/qvitterlogin.php b/actions/qvitterlogin.php index f350662..800cc84 100644 --- a/actions/qvitterlogin.php +++ b/actions/qvitterlogin.php @@ -112,17 +112,6 @@ class QvitterLoginAction extends FormAction common_rememberme($user); } - // make sure we have a unique app id for this Qvitter installation in config - // to use for creating a csrf token - if(common_config('qvitter', 'appid') == false) { - Config::save('qvitter', 'appid', sha1(common_random_hexstr(16))); - } - - // set csrf-cookie - $csrf_token = sha1(common_config('qvitter', 'appid').session_id()); - common_set_cookie('Qvitter-CSRF', $csrf_token, time() + 60*60*24*30); // 1 month - - $url = common_get_returnto(); if ($url) { diff --git a/js/ajax-functions.js b/js/ajax-functions.js index fcab8d8..9f2734d 100644 --- a/js/ajax-functions.js +++ b/js/ajax-functions.js @@ -334,9 +334,6 @@ function postUpdateBookmarks(newBookmarks) { $.ajax({ url: window.apiRoot + 'qvitter/update_bookmarks.json', cache: false, type: "POST", - beforeSend: function (xhr) { - xhr.setRequestHeader('X-Qvitter-CSRF', getCookieValue('Qvitter-CSRF')); - }, data: { bookmarks: bookmarksString }, @@ -361,9 +358,6 @@ function postNewLinkColor(newLinkColor) { $.ajax({ url: window.apiRoot + 'qvitter/update_link_color.json', cache: false, type: "POST", - beforeSend: function (xhr) { - xhr.setRequestHeader('X-Qvitter-CSRF', getCookieValue('Qvitter-CSRF')); - }, data: { linkcolor: newLinkColor }, @@ -389,9 +383,6 @@ function postNewBackgroundColor(newBackgroundColor) { $.ajax({ url: window.apiRoot + 'qvitter/update_background_color.json', cache: false, type: "POST", - beforeSend: function (xhr) { - xhr.setRequestHeader('X-Qvitter-CSRF', getCookieValue('Qvitter-CSRF')); - }, data: { backgroundcolor: newBackgroundColor }, @@ -421,9 +412,6 @@ function postSetProfilePref(namespace, topic, data, callback) { $.ajax({ url: window.apiRoot + 'qvitter/set_profile_pref.json', cache: false, type: "POST", - beforeSend: function (xhr) { - xhr.setRequestHeader('X-Qvitter-CSRF', getCookieValue('Qvitter-CSRF')); - }, data: { namespace: namespace, topic: topic, @@ -460,9 +448,6 @@ function APIFollowOrUnfollowUser(followOrUnfollow,user_id,this_element,actionOnS $.ajax({ url: window.apiRoot + postRequest, cache: false, type: "POST", - beforeSend: function (xhr) { - xhr.setRequestHeader('X-Qvitter-CSRF', getCookieValue('Qvitter-CSRF')); - }, data: { user_id: user_id }, @@ -500,9 +485,6 @@ function APIBlockOrUnblockUser(blockOrUnblock,user_id,actionOnSuccess) { $.ajax({ url: window.apiRoot + postRequest, cache: false, type: "POST", - beforeSend: function (xhr) { - xhr.setRequestHeader('X-Qvitter-CSRF', getCookieValue('Qvitter-CSRF')); - }, data: { id: user_id }, @@ -533,9 +515,6 @@ function APISandboxCreateOrDestroy(createOrDestroy,userId,actionOnSuccess) { $.ajax({ url: window.apiRoot + 'qvitter/sandbox/' + createOrDestroy + '.json', cache: false, type: "POST", - beforeSend: function (xhr) { - xhr.setRequestHeader('X-Qvitter-CSRF', getCookieValue('Qvitter-CSRF')); - }, data: { id: userId }, @@ -566,9 +545,6 @@ function APISilenceCreateOrDestroy(createOrDestroy,userId,actionOnSuccess) { $.ajax({ url: window.apiRoot + 'qvitter/silence/' + createOrDestroy + '.json', cache: false, type: "POST", - beforeSend: function (xhr) { - xhr.setRequestHeader('X-Qvitter-CSRF', getCookieValue('Qvitter-CSRF')); - }, data: { id: userId }, @@ -601,9 +577,6 @@ function APIJoinOrLeaveGroup(joinOrLeave,group_id,this_element,actionOnSuccess) $.ajax({ url: window.apiRoot + 'statusnet/groups/' + joinOrLeave + '.json', cache: false, type: "POST", - beforeSend: function (xhr) { - xhr.setRequestHeader('X-Qvitter-CSRF', getCookieValue('Qvitter-CSRF')); - }, data: { id: group_id }, @@ -635,9 +608,6 @@ function postQueetToAPI(queetText_txt, in_reply_to_status_id, postToGroups, acti $.ajax({ url: window.apiRoot + 'qvitter/statuses/update.json', cache: false, type: "POST", - beforeSend: function (xhr) { - xhr.setRequestHeader('X-Qvitter-CSRF', getCookieValue('Qvitter-CSRF')); - }, data: { status: queetText_txt, source: 'Qvitter', @@ -673,9 +643,6 @@ function postActionToAPI(action, actionOnSuccess) { $.ajax({ url: window.apiRoot + action, cache: false, type: "POST", - beforeSend: function (xhr) { - xhr.setRequestHeader('X-Qvitter-CSRF', getCookieValue('Qvitter-CSRF')); - }, data: { source: 'Qvitter' }, diff --git a/js/misc-functions.js b/js/misc-functions.js index b0a8823..50bbe6b 100644 --- a/js/misc-functions.js +++ b/js/misc-functions.js @@ -37,18 +37,6 @@ · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · */ -/* · - · - · Get cookie by name - · - · @param a: cookie name - · - · · · · · · · · · */ - -function getCookieValue(a) { - var b = document.cookie.match('(^|;)\\s*' + a + '\\s*=\\s*([^;]+)'); - return b ? b.pop() : ''; -} /* · · diff --git a/js/qvitter.js b/js/qvitter.js index 87220a9..3db4271 100644 --- a/js/qvitter.js +++ b/js/qvitter.js @@ -1672,9 +1672,6 @@ $('body').on('click','.qvitter-follow-button',function(event){ // if there's no local user id, we have to take a detour $.ajax({ url: window.siteInstanceURL + 'main/ostatussub', type: "POST", - beforeSend: function (xhr) { - xhr.setRequestHeader('X-Qvitter-CSRF', getCookieValue('Qvitter-CSRF')); - }, data: { token: window.commonSessionToken, profile: $(this).attr('data-follow-user'), @@ -3848,9 +3845,6 @@ $('body').on('click','.crop-and-save-button',function(){ $.ajax({ url: window.apiRoot + 'account/update_profile_banner.json', type: "POST", - beforeSend: function (xhr) { - xhr.setRequestHeader('X-Qvitter-CSRF', getCookieValue('Qvitter-CSRF')); - }, data: coverImgFormData, processData: false, contentType: false, @@ -3884,9 +3878,6 @@ $('body').on('click','.crop-and-save-button',function(){ else if($('#edit-profile-popup .jwc_frame.avatar-to-crop').length>0) { $.ajax({ url: window.apiRoot + 'qvitter/update_avatar.json', type: "POST", - beforeSend: function (xhr) { - xhr.setRequestHeader('X-Qvitter-CSRF', getCookieValue('Qvitter-CSRF')); - }, data: { cropH: window.jwc.result.cropH, cropW: window.jwc.result.cropW, @@ -3919,9 +3910,6 @@ $('body').on('click','.crop-and-save-button',function(){ else if($('#edit-profile-popup .jwc_frame.background-to-crop').length>0) { $.ajax({ url: window.apiRoot + 'qvitter/update_background_image.json', type: "POST", - beforeSend: function (xhr) { - xhr.setRequestHeader('X-Qvitter-CSRF', getCookieValue('Qvitter-CSRF')); - }, data: { cropH: window.jwc.result.cropH, cropW: window.jwc.result.cropW, @@ -3961,9 +3949,6 @@ $('body').on('click','.save-profile-button',function(){ if(validateEditProfileForm($('#edit-profile-popup'))) { $.ajax({ url: window.apiRoot + 'account/update_profile.json', type: "POST", - beforeSend: function (xhr) { - xhr.setRequestHeader('X-Qvitter-CSRF', getCookieValue('Qvitter-CSRF')); - }, data: { name: $('#edit-profile-popup input.fullname').val(), url: $('#edit-profile-popup input.url').val(), @@ -4157,9 +4142,6 @@ function uploadAttachment(e, thisUploadButton) { // upload $.ajax({ url: window.apiRoot + 'statusnet/media/upload', type: "POST", - beforeSend: function (xhr) { - xhr.setRequestHeader('X-Qvitter-CSRF', getCookieValue('Qvitter-CSRF')); - }, data: imgFormData, contentType: false, processData: false,