inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-08-21 18:09:20 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merged 5.2.N (5.2.1) to HEAD (5.2)

Browse Source 
131606 kroast: ACE-4881 - [Pentest 121015] Multiple admin CSRF
      - Fix issues spotted by Gethin; PUT/POST XHR requests made from admin pages did not add the CSRF token correctly, default error handler missing reference.


git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@132279 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Alan Davis
2016-11-03 13:54:42 +00:00
parent 2f5d71cbb4
commit 8e91ab5121
1 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
config/alfresco/templates/webscripts/org/alfresco/repository/admin/admin-template.ftl
View File

@@ -350,11 +350,11 @@ var Admin = Admin || {};
{
var req = new XMLHttpRequest();
var data = config.data || {};
if ((config.method === "POST" || config.method === "PUT") && Admin.CSRF.enabled) {
setRequestHeader(Admin.CSRF.getHeader(), Admin.CSRFToken());
}
if (req.overrideMimeType) req.overrideMimeType((config.responseContentType ? config.responseContentType : "application/json") + "; charset=utf-8");
req.open(config.method ? config.method : "GET", config.url);
if ((config.method === "POST" || config.method === "PUT") && Admin.CSRF.enabled) {
req.setRequestHeader(Admin.CSRF.getHeader(), Admin.CSRFToken());
}
req.setRequestHeader("Accept", config.requestContentType ? config.requestContentType : "application/json");
req.onreadystatechange = function() {
if (req.readyState === 4)
@@ -394,7 +394,7 @@ var Admin = Admin || {};
else
{
// default error handler
alert("${msg("admin-console.requesterror")}\n\n" + res.responseText + "\n\n" + res.responseStatus);
alert("${msg("admin-console.requesterror")}\n\n" + req.responseText + "\n\n" + req.responseStatus);
}
}
}