Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Fixes 67 by amending edit phrases JS and added Repository function fo…
…r generating CSRF tokens.
  • Loading branch information
drn05r authored and EPrints Services committed Jun 1, 2020
1 parent d7ba01b commit 6968a56
Show file tree
Hide file tree
Showing 4 changed files with 49 additions and 10 deletions.
18 changes: 14 additions & 4 deletions lib/static/javascript/auto/70_phraseedit.js
Expand Up @@ -75,7 +75,7 @@ function ep_phraseedit_addphrase( event, base_id )
return false;
}

function ep_phraseedit_save(base_id, phrase)
function ep_phraseedit_save(base_id, phrase, csrf_token='')
{
new Ajax.Request(
eprints_http_cgiroot+"/users/home",
Expand Down Expand Up @@ -115,7 +115,8 @@ function ep_phraseedit_save(base_id, phrase)
parameters: {
screen: "Admin::Phrases",
phraseid: base_id,
phrase: phrase
phrase: phrase,
csrf_token: csrf_token
}
}
);
Expand All @@ -139,7 +140,7 @@ function ep_phraseedit_enableform(form)
}
}

function ep_phraseedit_edit(div, phrases)
function ep_phraseedit_edit(div, phrases, csrf_token='')
{
var container = div.parentNode;
container.removeChild( div );
Expand All @@ -158,6 +159,15 @@ function ep_phraseedit_edit(div, phrases)
form.appendChild( textarea );

var input;
/* CSRF tokem */
if ( csrf_token !== '' )
{
input = document.createElement( 'input' );
input.setAttribute( 'type', 'hidden' );
input.value = csrf_token;
form.appendChild( input );
}

/* save */
input = document.createElement( 'input' );
input.setAttribute( 'type', 'button' );
Expand All @@ -166,7 +176,7 @@ function ep_phraseedit_edit(div, phrases)
var form = event.element().parentNode;
ep_phraseedit_disableform(form);
var textarea = form.firstChild;
ep_phraseedit_save(form._base_id, textarea.value);
ep_phraseedit_save(form._base_id, textarea.value, csrf_token);
});
form.appendChild( input );
/* reset */
Expand Down
10 changes: 9 additions & 1 deletion perl_lib/EPrints/Plugin/Screen/Admin/Phrases.pm
Expand Up @@ -503,7 +503,15 @@ sub render_row
}

# phrase editing widget
$div = $session->make_element( "div", id => "ep_phraseedit_$phraseid", class => "ep_phraseedit_widget", onclick => "ep_phraseedit_edit(this, ep_phraseedit_phrases);" );
if ( defined $session->config( "csrf_token_salt" ) && defined $session->current_user )
{
my $csrf_token = $session->get_csrf_token();
$div = $session->make_element( "div", id => "ep_phraseedit_$phraseid", class => "ep_phraseedit_widget", onclick => "ep_phraseedit_edit(this, ep_phraseedit_phrases, '$csrf_token');" );
}
else
{
$div = $session->make_element( "div", id => "ep_phraseedit_$phraseid", class => "ep_phraseedit_widget", onclick => "ep_phraseedit_edit(this, ep_phraseedit_phrases);" );
}
if( $xml ne $phrase->{xml} )
{
$div->setAttribute( class => "ep_phraseedit_widget ep_phraseedit_ref" );
Expand Down
24 changes: 24 additions & 0 deletions perl_lib/EPrints/Repository.pm
Expand Up @@ -5777,7 +5777,31 @@ sub flavour_has
}


######################################################################
=pod
=begin InternalDoc
=item $Boolean = $repository->get_csrf_token("")
return a string containg the CSRF token.
=end InternalDoc
=cut
######################################################################


sub get_csrf_token
{
my ($self) = @_;

use Digest::MD5;
my $ctx = Digest::MD5->new;
my $timestamp = time();
$ctx->add( $timestamp, $self->current_user->get_id, $self->config( "csrf_token_salt" ) );
return $timestamp . ":" . $ctx->hexdigest;
}


1;
Expand Down
7 changes: 2 additions & 5 deletions perl_lib/EPrints/XHTML.pm
Expand Up @@ -145,15 +145,12 @@ sub form
# Add a CSRF token to the form if a salt has been set and there is a logged in user.
if ( defined $self->{repository}->config( "csrf_token_salt" ) && defined $self->{repository}->current_user )
{
use Digest::MD5;
my $ctx = Digest::MD5->new;
my $timestamp = time();
$ctx->add( $timestamp, $self->{repository}->current_user->get_id, $self->{repository}->config( "csrf_token_salt" ) );
my $csrf_token = $self->{repository}->get_csrf_token();
my $csrf_token_input = $self->{repository}->xml->create_element( "input",
id => "csrf_token",
name => "csrf_token",
type => "hidden",
value => $timestamp . ":" . $ctx->hexdigest,
value => $csrf_token,
);
$form->appendChild( $csrf_token_input );
}
Expand Down

0 comments on commit 6968a56

Please sign in to comment.