wamo/Qvitter
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

revert the crappy csrf fix. already fixed by @mmn in newer gnusocial.

Browse Source
This commit is contained in:
Hannes Mannerheim 2017-01-17 16:53:46 +01:00
parent 8ede339c05
commit 1c1b4b19e1
6 changed files with 0 additions and 111 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
QvitterPlugin.php
View File

@ -422,16 +422,6 @@ class QvitterPlugin extends Plugin {
} }
/**
* Remove CSRF cookie on logout
*
*/
function onEndLogout($action) {
common_set_cookie('Qvitter-CSRF', '', 0);
return true;
}
/** /**
* Add script to default ui, to be able to toggle Qvitter with one click * Add script to default ui, to be able to toggle Qvitter with one click
@ -1295,24 +1285,6 @@ class QvitterPlugin extends Plugin {
*/ */
public function onEndSetApiUser($user) { public function onEndSetApiUser($user) {
// if we're POST:ing and are logged in using a regular session (i.e. not basic auth or oauth)
// check that we have a correct csrf cookie and header, otherwise deny
if(common_logged_in() && $_SERVER['REQUEST_METHOD'] === 'POST') {
if(!isset($_COOKIE['Qvitter-CSRF'])) {
throw new ServerException(_('Error setting user. Missing authorization cookie data. Please logout and login again.'));
}
$csrf_token = sha1(common_config('qvitter', 'appid').session_id());
if($_COOKIE['Qvitter-CSRF'] != $csrf_token) {
throw new ServerException(_('Error setting user. Invalid authorization cookie data. Please logout and login again.'));
}
if(!isset($_SERVER['HTTP_X_QVITTER_CSRF'])) {
throw new ServerException(_('Error setting user. Missing authorization header data. Please logout and login again.'));
}
if($_SERVER['HTTP_X_QVITTER_CSRF'] != $csrf_token) {
throw new ServerException(_('Error setting user. Invalid authorization header data. Please logout and login again.'));
}
}
// cleanup sessions, to allow for simultaneous http-requests, // cleanup sessions, to allow for simultaneous http-requests,
// e.g. if posting a notice takes a very long time // e.g. if posting a notice takes a very long time
Session::cleanup(); Session::cleanup();

9
actions/qvitter.php
View File

@ -45,15 +45,6 @@ class QvitterAction extends ApiAction
{ {
parent::prepare($args); parent::prepare($args);
// if we're logged in but we have missing or incorrect csrf cookie, logout
if(common_logged_in()) {
$csrf_token = sha1(common_config('qvitter', 'appid').session_id());
if(!isset($_COOKIE['Qvitter-CSRF']) || $_COOKIE['Qvitter-CSRF'] != $csrf_token) {
header('Location: '.common_path('').'main/logout');
die();
}
}
$user = common_current_user(); $user = common_current_user();
return true; return true;

11
actions/qvitterlogin.php
View File

@ -112,17 +112,6 @@ class QvitterLoginAction extends FormAction
common_rememberme($user); common_rememberme($user);
} }
// make sure we have a unique app id for this Qvitter installation in config
// to use for creating a csrf token
if(common_config('qvitter', 'appid') == false) {
Config::save('qvitter', 'appid', sha1(common_random_hexstr(16)));
}
// set csrf-cookie
$csrf_token = sha1(common_config('qvitter', 'appid').session_id());
common_set_cookie('Qvitter-CSRF', $csrf_token, time() + 60*60*24*30); // 1 month
$url = common_get_returnto(); $url = common_get_returnto();
if ($url) { if ($url) {

33
js/ajax-functions.js
View File

@ -334,9 +334,6 @@ function postUpdateBookmarks(newBookmarks) {
$.ajax({ url: window.apiRoot + 'qvitter/update_bookmarks.json', $.ajax({ url: window.apiRoot + 'qvitter/update_bookmarks.json',
cache: false, cache: false,
type: "POST", type: "POST",
beforeSend: function (xhr) {
xhr.setRequestHeader('X-Qvitter-CSRF', getCookieValue('Qvitter-CSRF'));
},
data: { data: {
bookmarks: bookmarksString bookmarks: bookmarksString
}, },
@ -361,9 +358,6 @@ function postNewLinkColor(newLinkColor) {
$.ajax({ url: window.apiRoot + 'qvitter/update_link_color.json', $.ajax({ url: window.apiRoot + 'qvitter/update_link_color.json',
cache: false, cache: false,
type: "POST", type: "POST",
beforeSend: function (xhr) {
xhr.setRequestHeader('X-Qvitter-CSRF', getCookieValue('Qvitter-CSRF'));
},
data: { data: {
linkcolor: newLinkColor linkcolor: newLinkColor
}, },
@ -389,9 +383,6 @@ function postNewBackgroundColor(newBackgroundColor) {
$.ajax({ url: window.apiRoot + 'qvitter/update_background_color.json', $.ajax({ url: window.apiRoot + 'qvitter/update_background_color.json',
cache: false, cache: false,
type: "POST", type: "POST",
beforeSend: function (xhr) {
xhr.setRequestHeader('X-Qvitter-CSRF', getCookieValue('Qvitter-CSRF'));
},
data: { data: {
backgroundcolor: newBackgroundColor backgroundcolor: newBackgroundColor
}, },
@ -421,9 +412,6 @@ function postSetProfilePref(namespace, topic, data, callback) {
$.ajax({ url: window.apiRoot + 'qvitter/set_profile_pref.json', $.ajax({ url: window.apiRoot + 'qvitter/set_profile_pref.json',
cache: false, cache: false,
type: "POST", type: "POST",
beforeSend: function (xhr) {
xhr.setRequestHeader('X-Qvitter-CSRF', getCookieValue('Qvitter-CSRF'));
},
data: { data: {
namespace: namespace, namespace: namespace,
topic: topic, topic: topic,
@ -460,9 +448,6 @@ function APIFollowOrUnfollowUser(followOrUnfollow,user_id,this_element,actionOnS
$.ajax({ url: window.apiRoot + postRequest, $.ajax({ url: window.apiRoot + postRequest,
cache: false, cache: false,
type: "POST", type: "POST",
beforeSend: function (xhr) {
xhr.setRequestHeader('X-Qvitter-CSRF', getCookieValue('Qvitter-CSRF'));
},
data: { data: {
user_id: user_id user_id: user_id
}, },
@ -500,9 +485,6 @@ function APIBlockOrUnblockUser(blockOrUnblock,user_id,actionOnSuccess) {
$.ajax({ url: window.apiRoot + postRequest, $.ajax({ url: window.apiRoot + postRequest,
cache: false, cache: false,
type: "POST", type: "POST",
beforeSend: function (xhr) {
xhr.setRequestHeader('X-Qvitter-CSRF', getCookieValue('Qvitter-CSRF'));
},
data: { data: {
id: user_id id: user_id
}, },
@ -533,9 +515,6 @@ function APISandboxCreateOrDestroy(createOrDestroy,userId,actionOnSuccess) {
$.ajax({ url: window.apiRoot + 'qvitter/sandbox/' + createOrDestroy + '.json', $.ajax({ url: window.apiRoot + 'qvitter/sandbox/' + createOrDestroy + '.json',
cache: false, cache: false,
type: "POST", type: "POST",
beforeSend: function (xhr) {
xhr.setRequestHeader('X-Qvitter-CSRF', getCookieValue('Qvitter-CSRF'));
},
data: { data: {
id: userId id: userId
}, },
@ -566,9 +545,6 @@ function APISilenceCreateOrDestroy(createOrDestroy,userId,actionOnSuccess) {
$.ajax({ url: window.apiRoot + 'qvitter/silence/' + createOrDestroy + '.json', $.ajax({ url: window.apiRoot + 'qvitter/silence/' + createOrDestroy + '.json',
cache: false, cache: false,
type: "POST", type: "POST",
beforeSend: function (xhr) {
xhr.setRequestHeader('X-Qvitter-CSRF', getCookieValue('Qvitter-CSRF'));
},
data: { data: {
id: userId id: userId
}, },
@ -601,9 +577,6 @@ function APIJoinOrLeaveGroup(joinOrLeave,group_id,this_element,actionOnSuccess)
$.ajax({ url: window.apiRoot + 'statusnet/groups/' + joinOrLeave + '.json', $.ajax({ url: window.apiRoot + 'statusnet/groups/' + joinOrLeave + '.json',
cache: false, cache: false,
type: "POST", type: "POST",
beforeSend: function (xhr) {
xhr.setRequestHeader('X-Qvitter-CSRF', getCookieValue('Qvitter-CSRF'));
},
data: { data: {
id: group_id id: group_id
}, },
@ -635,9 +608,6 @@ function postQueetToAPI(queetText_txt, in_reply_to_status_id, postToGroups, acti
$.ajax({ url: window.apiRoot + 'qvitter/statuses/update.json', $.ajax({ url: window.apiRoot + 'qvitter/statuses/update.json',
cache: false, cache: false,
type: "POST", type: "POST",
beforeSend: function (xhr) {
xhr.setRequestHeader('X-Qvitter-CSRF', getCookieValue('Qvitter-CSRF'));
},
data: { data: {
status: queetText_txt, status: queetText_txt,
source: 'Qvitter', source: 'Qvitter',
@ -673,9 +643,6 @@ function postActionToAPI(action, actionOnSuccess) {
$.ajax({ url: window.apiRoot + action, $.ajax({ url: window.apiRoot + action,
cache: false, cache: false,
type: "POST", type: "POST",
beforeSend: function (xhr) {
xhr.setRequestHeader('X-Qvitter-CSRF', getCookieValue('Qvitter-CSRF'));
},
data: { data: {
source: 'Qvitter' source: 'Qvitter'
}, },

12
js/misc-functions.js
View File

@ -37,18 +37,6 @@
· · · ·
· · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · */ · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · */
/* ·
·
· Get cookie by name
·
· @param a: cookie name
·
· · · · · · · · · */
function getCookieValue(a) {
var b = document.cookie.match('(^|;)\\s*' + a + '\\s*=\\s*([^;]+)');
return b ? b.pop() : '';
}
/* · /* ·
· ·

18
js/qvitter.js
View File

@ -1672,9 +1672,6 @@ $('body').on('click','.qvitter-follow-button',function(event){
// if there's no local user id, we have to take a detour // if there's no local user id, we have to take a detour
$.ajax({ url: window.siteInstanceURL + 'main/ostatussub', $.ajax({ url: window.siteInstanceURL + 'main/ostatussub',
type: "POST", type: "POST",
beforeSend: function (xhr) {
xhr.setRequestHeader('X-Qvitter-CSRF', getCookieValue('Qvitter-CSRF'));
},
data: { data: {
token: window.commonSessionToken, token: window.commonSessionToken,
profile: $(this).attr('data-follow-user'), profile: $(this).attr('data-follow-user'),
@ -3848,9 +3845,6 @@ $('body').on('click','.crop-and-save-button',function(){
$.ajax({ $.ajax({
url: window.apiRoot + 'account/update_profile_banner.json', url: window.apiRoot + 'account/update_profile_banner.json',
type: "POST", type: "POST",
beforeSend: function (xhr) {
xhr.setRequestHeader('X-Qvitter-CSRF', getCookieValue('Qvitter-CSRF'));
},
data: coverImgFormData, data: coverImgFormData,
processData: false, processData: false,
contentType: false, contentType: false,
@ -3884,9 +3878,6 @@ $('body').on('click','.crop-and-save-button',function(){
else if($('#edit-profile-popup .jwc_frame.avatar-to-crop').length>0) { else if($('#edit-profile-popup .jwc_frame.avatar-to-crop').length>0) {
$.ajax({ url: window.apiRoot + 'qvitter/update_avatar.json', $.ajax({ url: window.apiRoot + 'qvitter/update_avatar.json',
type: "POST", type: "POST",
beforeSend: function (xhr) {
xhr.setRequestHeader('X-Qvitter-CSRF', getCookieValue('Qvitter-CSRF'));
},
data: { data: {
cropH: window.jwc.result.cropH, cropH: window.jwc.result.cropH,
cropW: window.jwc.result.cropW, cropW: window.jwc.result.cropW,
@ -3919,9 +3910,6 @@ $('body').on('click','.crop-and-save-button',function(){
else if($('#edit-profile-popup .jwc_frame.background-to-crop').length>0) { else if($('#edit-profile-popup .jwc_frame.background-to-crop').length>0) {
$.ajax({ url: window.apiRoot + 'qvitter/update_background_image.json', $.ajax({ url: window.apiRoot + 'qvitter/update_background_image.json',
type: "POST", type: "POST",
beforeSend: function (xhr) {
xhr.setRequestHeader('X-Qvitter-CSRF', getCookieValue('Qvitter-CSRF'));
},
data: { data: {
cropH: window.jwc.result.cropH, cropH: window.jwc.result.cropH,
cropW: window.jwc.result.cropW, cropW: window.jwc.result.cropW,
@ -3961,9 +3949,6 @@ $('body').on('click','.save-profile-button',function(){
if(validateEditProfileForm($('#edit-profile-popup'))) { if(validateEditProfileForm($('#edit-profile-popup'))) {
$.ajax({ url: window.apiRoot + 'account/update_profile.json', $.ajax({ url: window.apiRoot + 'account/update_profile.json',
type: "POST", type: "POST",
beforeSend: function (xhr) {
xhr.setRequestHeader('X-Qvitter-CSRF', getCookieValue('Qvitter-CSRF'));
},
data: { data: {
name: $('#edit-profile-popup input.fullname').val(), name: $('#edit-profile-popup input.fullname').val(),
url: $('#edit-profile-popup input.url').val(), url: $('#edit-profile-popup input.url').val(),
@ -4157,9 +4142,6 @@ function uploadAttachment(e, thisUploadButton) {
// upload // upload
$.ajax({ url: window.apiRoot + 'statusnet/media/upload', $.ajax({ url: window.apiRoot + 'statusnet/media/upload',
type: "POST", type: "POST",
beforeSend: function (xhr) {
xhr.setRequestHeader('X-Qvitter-CSRF', getCookieValue('Qvitter-CSRF'));
},
data: imgFormData, data: imgFormData,
contentType: false, contentType: false,
processData: false, processData: false,