Code

Opened 3 years ago

Closed 3 years ago

#15973 closed Bug (duplicate)

Ajax CSRF code in docs doesn't always work.

Reported by: ehutch79@… Owned by: nobody
Component: Documentation Version: 1.3
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX:

Description (last modified by lukeplant)

while making urls are local, simply filtering for relative urls is not sufficient. several libraries may end up requesting a fully qualified url that is in fact local.

my suggestion is to change this line:

if (!(/^http:.*/.test(settings.url) || /^https:.*/.test(settings.url))) {

to this:

var root = location.protocol + '//' + location.host;
if (!(/^http:.*/.test(settings.url) || /^https:.*/.test(settings.url)) || settings.url.substr(0, root.length) === root  ) {

Attachments (1)

ajax_csrf_fix.patch (803 bytes) - added by ehutch79@… 3 years ago.
modifies the ajax csrf code in the docs to look for the current pages domain as well as relative urls

Download all attachments as: .zip

Change History (2)

Changed 3 years ago by ehutch79@…

modifies the ajax csrf code in the docs to look for the current pages domain as well as relative urls

comment:1 Changed 3 years ago by lukeplant

  • Description modified (diff)
  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Resolution set to duplicate
  • Status changed from new to closed
  • Triage Stage changed from Unreviewed to Accepted

This is essentially the same as #15869 with different circumstances (i.e. certain libraries rather than certain browsers).

BTW, please use preview to check that your description comes out properly formatted.

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.