Compare commits

...

33 Commits

Author SHA1 Message Date
Hannes Mannerheim
a36628edc7 Merge branch 'master' of git.gnu.io:h2p/Qvitter 2017-02-05 13:39:49 +01:00
Hannes Mannerheim
d4fa67cc8e merge from git.gnu.io 2016-12-30 13:48:54 +01:00
Hannes Mannerheim
51740e4d49 merge from git.gnu.io 2016-11-21 22:47:25 +01:00
Hannes Mannerheim
d7ab9cd72e Merge branch 'master' of git.gnu.io:h2p/Qvitter 2016-10-31 01:07:06 +01:00
Hannes Mannerheim
e5f22390dc merge from git.gnu.io 2016-03-10 13:53:08 +01:00
Hannes Mannerheim
e9df9b7bdb Merge branch 'master' of git.gnu.io:h2p/Qvitter 2016-03-05 16:54:26 +01:00
Hannes Mannerheim
05825ecc93 from git.gnu.io 2016-03-05 14:51:01 +01:00
Hannes Mannerheim
34b25e032e mute etc 2016-03-04 00:22:25 +01:00
Hannes Mannerheim
e6a8cad494 from git.gnu.io 2016-02-29 16:08:06 +01:00
Hannes Mannerheim
2570877580 update from git.gnu.io 2016-02-25 11:10:55 +01:00
Hannes Mannerheim
8dc071c955 favicons and fixes 2016-02-16 13:38:40 +01:00
Hannes Mannerheim
0e99f04c43 update from git.gnu.io 2016-02-16 11:54:47 +01:00
Hannes Mannerheim
f5acc4a386 german update 2016-02-12 14:56:59 +01:00
Hannes Mannerheim
3ab4b1cdb6 twitter cards and opengraph 2016-02-11 17:49:02 +01:00
Hannes Mannerheim
596b4b8e02 don't flash the no-javascript message while loading 2016-02-11 14:55:20 +01:00
Hannes Mannerheim
45b50d3387 turkish 2016-02-11 14:47:58 +01:00
Hannes Mannerheim
6f6a593984 fixes 2016-02-11 14:30:20 +01:00
Hannes Mannerheim
e1c8080e8f pt-br fixes 2016-02-10 14:18:26 +01:00
Hannes Mannerheim
b3eef26174 finnish finished 2016-02-09 20:22:12 +01:00
Hannes Mannerheim
a855c98834 pt-br fixes 2016-02-09 15:21:13 +01:00
Hannes Mannerheim
3037794b6d pt_br update 2016-02-08 11:13:10 +01:00
Hannes Mannerheim
cc5739918e spanish faq addition by @simsa01@quitter.se 2016-02-08 11:09:02 +01:00
Hannes Mannerheim
23ecdf2a07 nl update 2016-02-08 11:04:13 +01:00
Hannes Mannerheim
182ae843ca no > nb 2016-02-08 11:00:32 +01:00
Hannes Mannerheim
13256d2a66 spanish translation 2016-02-08 10:56:46 +01:00
Hannes Mannerheim
fabdad7dc7 terms addition 2016-02-07 14:37:44 +01:00
Hannes Mannerheim
7df7eb1aeb terms for logged in users 2016-02-07 14:17:37 +01:00
Hannes Mannerheim
2590528d63 xss fix, thx @chc4@quitter.se 2016-02-07 02:23:38 +01:00
Hannes Mannerheim
b4f45b8537 sort twkn by id, since we scroll using max_id 2016-02-04 13:52:16 +01:00
Hannes Mannerheim
077a5a04a2 Updated norwegian translation 2016-02-04 02:06:52 +01:00
Hannes Mannerheim
c01906055e blocking 2016-02-02 16:25:34 +01:00
Hannes Mannerheim
d247c08aeb set api format so client errors work 2016-02-01 18:22:41 +01:00
Hannes Mannerheim
4c0f42984c Updated norwegian translation 2016-01-31 02:22:18 +01:00
5 changed files with 93 additions and 0 deletions

View File

@ -423,6 +423,16 @@ class QvitterPlugin extends Plugin {
}
/**
* Remove CSRF cookie on logout
*
*/
function onEndLogout($action) {
common_set_cookie('Qvitter-CSRF', '', 0);
return true;
}
/**
* Add script to default ui, to be able to toggle Qvitter with one click
@ -1287,6 +1297,24 @@ class QvitterPlugin extends Plugin {
*/
public function onEndSetApiUser($user) {
// if we're POST:ing and are logged in using a regular session (i.e. not basic auth or oauth)
// check that we have a correct csrf cookie and header, otherwise deny
if(common_logged_in() && $_SERVER['REQUEST_METHOD'] === 'POST') {
if(!isset($_COOKIE['Qvitter-CSRF'])) {
throw new ServerException(_('Error setting user. Missing authorization cookie data. Please logout and login again.'));
}
$csrf_token = sha1(common_config('qvitter', 'appid').session_id());
if($_COOKIE['Qvitter-CSRF'] != $csrf_token) {
throw new ServerException(_('Error setting user. Invalid authorization cookie data. Please logout and login again.'));
}
if(!isset($_SERVER['HTTP_X_QVITTER_CSRF'])) {
throw new ServerException(_('Error setting user. Missing authorization header data. Please logout and login again.'));
}
if($_SERVER['HTTP_X_QVITTER_CSRF'] != $csrf_token) {
throw new ServerException(_('Error setting user. Invalid authorization header data. Please logout and login again.'));
}
}
// cleanup sessions, to allow for simultaneous http-requests,
// e.g. if posting a notice takes a very long time
Session::cleanup();

View File

@ -45,6 +45,15 @@ class QvitterAction extends ApiAction
{
parent::prepare($args);
// if we're logged in but we have missing or incorrect csrf cookie, logout
if(common_logged_in()) {
$csrf_token = sha1(common_config('qvitter', 'appid').session_id());
if(!isset($_COOKIE['Qvitter-CSRF']) || $_COOKIE['Qvitter-CSRF'] != $csrf_token) {
header('Location: '.common_path('').'main/logout');
die();
}
}
$user = common_current_user();
return true;

View File

@ -112,6 +112,17 @@ class QvitterLoginAction extends FormAction
common_rememberme($user);
}
// make sure we have a unique app id for this Qvitter installation in config
// to use for creating a csrf token
if(common_config('qvitter', 'appid') == false) {
Config::save('qvitter', 'appid', sha1(common_random_hexstr(16)));
}
// set csrf-cookie
$csrf_token = sha1(common_config('qvitter', 'appid').session_id());
common_set_cookie('Qvitter-CSRF', $csrf_token, time() + 60*60*24*30); // 1 month
$url = common_get_returnto();
if ($url) {

View File

@ -334,6 +334,9 @@ function postUpdateBookmarks(newBookmarks) {
$.ajax({ url: window.apiRoot + 'qvitter/update_bookmarks.json',
cache: false,
type: "POST",
beforeSend: function (xhr) {
xhr.setRequestHeader('X-Qvitter-CSRF', getCookieValue('Qvitter-CSRF'));
},
data: {
bookmarks: bookmarksString
},
@ -358,6 +361,9 @@ function postNewLinkColor(newLinkColor) {
$.ajax({ url: window.apiRoot + 'qvitter/update_link_color.json',
cache: false,
type: "POST",
beforeSend: function (xhr) {
xhr.setRequestHeader('X-Qvitter-CSRF', getCookieValue('Qvitter-CSRF'));
},
data: {
linkcolor: newLinkColor
},
@ -383,6 +389,9 @@ function postNewBackgroundColor(newBackgroundColor) {
$.ajax({ url: window.apiRoot + 'qvitter/update_background_color.json',
cache: false,
type: "POST",
beforeSend: function (xhr) {
xhr.setRequestHeader('X-Qvitter-CSRF', getCookieValue('Qvitter-CSRF'));
},
data: {
backgroundcolor: newBackgroundColor
},
@ -412,6 +421,9 @@ function postSetProfilePref(namespace, topic, data, callback) {
$.ajax({ url: window.apiRoot + 'qvitter/set_profile_pref.json',
cache: false,
type: "POST",
beforeSend: function (xhr) {
xhr.setRequestHeader('X-Qvitter-CSRF', getCookieValue('Qvitter-CSRF'));
},
data: {
namespace: namespace,
topic: topic,
@ -448,6 +460,9 @@ function APIFollowOrUnfollowUser(followOrUnfollow,user_id,this_element,actionOnS
$.ajax({ url: window.apiRoot + postRequest,
cache: false,
type: "POST",
beforeSend: function (xhr) {
xhr.setRequestHeader('X-Qvitter-CSRF', getCookieValue('Qvitter-CSRF'));
},
data: {
user_id: user_id
},
@ -485,6 +500,9 @@ function APIBlockOrUnblockUser(blockOrUnblock,user_id,actionOnSuccess) {
$.ajax({ url: window.apiRoot + postRequest,
cache: false,
type: "POST",
beforeSend: function (xhr) {
xhr.setRequestHeader('X-Qvitter-CSRF', getCookieValue('Qvitter-CSRF'));
},
data: {
id: user_id
},
@ -515,6 +533,9 @@ function APISandboxCreateOrDestroy(createOrDestroy,userId,actionOnSuccess) {
$.ajax({ url: window.apiRoot + 'qvitter/sandbox/' + createOrDestroy + '.json',
cache: false,
type: "POST",
beforeSend: function (xhr) {
xhr.setRequestHeader('X-Qvitter-CSRF', getCookieValue('Qvitter-CSRF'));
},
data: {
id: userId
},
@ -545,6 +566,9 @@ function APISilenceCreateOrDestroy(createOrDestroy,userId,actionOnSuccess) {
$.ajax({ url: window.apiRoot + 'qvitter/silence/' + createOrDestroy + '.json',
cache: false,
type: "POST",
beforeSend: function (xhr) {
xhr.setRequestHeader('X-Qvitter-CSRF', getCookieValue('Qvitter-CSRF'));
},
data: {
id: userId
},
@ -577,6 +601,9 @@ function APIJoinOrLeaveGroup(joinOrLeave,group_id,this_element,actionOnSuccess)
$.ajax({ url: window.apiRoot + 'statusnet/groups/' + joinOrLeave + '.json',
cache: false,
type: "POST",
beforeSend: function (xhr) {
xhr.setRequestHeader('X-Qvitter-CSRF', getCookieValue('Qvitter-CSRF'));
},
data: {
id: group_id
},
@ -608,6 +635,9 @@ function postQueetToAPI(queetText_txt, in_reply_to_status_id, postToGroups, acti
$.ajax({ url: window.apiRoot + 'qvitter/statuses/update.json',
cache: false,
type: "POST",
beforeSend: function (xhr) {
xhr.setRequestHeader('X-Qvitter-CSRF', getCookieValue('Qvitter-CSRF'));
},
data: {
status: queetText_txt,
source: 'Qvitter',
@ -643,6 +673,9 @@ function postActionToAPI(action, actionOnSuccess) {
$.ajax({ url: window.apiRoot + action,
cache: false,
type: "POST",
beforeSend: function (xhr) {
xhr.setRequestHeader('X-Qvitter-CSRF', getCookieValue('Qvitter-CSRF'));
},
data: {
source: 'Qvitter'
},

View File

@ -37,6 +37,18 @@
· ·
· · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · */
/* ·
·
· Get cookie by name
·
· @param a: cookie name
·
· · · · · · · · · */
function getCookieValue(a) {
var b = document.cookie.match('(^|;)\\s*' + a + '\\s*=\\s*([^;]+)');
return b ? b.pop() : '';
}
/* ·
·