From 8e91ab5121e01a3cdf58312f7b012f5c3b2edc7e Mon Sep 17 00:00:00 2001
From: Alan Davis <alan.davis@alfresco.com>
Date: Thu, 3 Nov 2016 13:54:42 +0000
Subject: [PATCH] Merged 5.2.N (5.2.1) to HEAD (5.2)    131606 kroast: ACE-4881
 - [Pentest 121015] Multiple admin CSRF       - Fix issues spotted by Gethin;
 PUT/POST XHR requests made from admin pages did not add the CSRF token
 correctly, default error handler missing reference.

git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@132279 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
---
 .../org/alfresco/repository/admin/admin-template.ftl      | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/config/alfresco/templates/webscripts/org/alfresco/repository/admin/admin-template.ftl b/config/alfresco/templates/webscripts/org/alfresco/repository/admin/admin-template.ftl
index 423300d348..62cea91dd3 100644
--- a/config/alfresco/templates/webscripts/org/alfresco/repository/admin/admin-template.ftl
+++ b/config/alfresco/templates/webscripts/org/alfresco/repository/admin/admin-template.ftl
@@ -350,11 +350,11 @@ var Admin = Admin || {};
    {
       var req = new XMLHttpRequest();
       var data = config.data || {};
-      if ((config.method === "POST" || config.method === "PUT") && Admin.CSRF.enabled) {
-         setRequestHeader(Admin.CSRF.getHeader(), Admin.CSRFToken());
-      }
       if (req.overrideMimeType) req.overrideMimeType((config.responseContentType ? config.responseContentType : "application/json") + "; charset=utf-8");
       req.open(config.method ? config.method : "GET", config.url);
+      if ((config.method === "POST" || config.method === "PUT") && Admin.CSRF.enabled) {
+         req.setRequestHeader(Admin.CSRF.getHeader(), Admin.CSRFToken());
+      }
       req.setRequestHeader("Accept", config.requestContentType ? config.requestContentType : "application/json");
       req.onreadystatechange = function() {
          if (req.readyState === 4)
@@ -394,7 +394,7 @@ var Admin = Admin || {};
                else
                {
                   // default error handler
-                  alert("${msg("admin-console.requesterror")}\n\n" + res.responseText + "\n\n" + res.responseStatus);
+                  alert("${msg("admin-console.requesterror")}\n\n" + req.responseText + "\n\n" + req.responseStatus);
                }
             }
          }