Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Fix CSRF protection for adding new phrases and switch to generic JS f…
…unction for looking up GET header variables.
  • Loading branch information
drn05r authored and EPrints Services committed Jun 2, 2020
1 parent b76ed2a commit 95ed6be
Show file tree
Hide file tree
Showing 3 changed files with 17 additions and 13 deletions.
14 changes: 14 additions & 0 deletions lib/static/javascript/auto/45_extras.js
Expand Up @@ -73,3 +73,17 @@ function human_filesize(size_in_bytes)
return size_in_tb + 'Tb';
}

/*
* Get paramaters set in the HTTP GET header
*/
function get_header_variable(variable) {
var query = window.location.search.substring(1);
var vars = query.split("&");
for (var i=0;i<vars.length;i++) {
var pair = vars[i].split("=");
if (pair[0] == variable) {
return decodeURIComponent(pair[1]);
}
}
}

3 changes: 2 additions & 1 deletion lib/static/javascript/auto/70_phraseedit.js
Expand Up @@ -68,7 +68,8 @@ function ep_phraseedit_addphrase( event, base_id )
parameters: {
screen: "Admin::Phrases",
phraseid: base_id,
phrase: $('ep_phraseedit_newid').value
phrase: $('ep_phraseedit_newid').value,
csrf_token: get_header_variable( 'csrf_token' )
}
}
);
Expand Down
13 changes: 1 addition & 12 deletions lib/static/javascript/screen_admin_storagemanager.js
Expand Up @@ -4,17 +4,6 @@ Event.observe(window,'load',function () {
});
});

function js_admin_storagemanager_get_variable(variable) {
var query = window.location.search.substring(1);
var vars = query.split("&");
for (var i=0;i<vars.length;i++) {
var pair = vars[i].split("=");
if (pair[0] == variable) {
return decodeURIComponent(pair[1]);
}
}
}

function js_admin_storagemanager_load_stats(div)
{
var pluginid = div.id.substring(6);
Expand Down Expand Up @@ -45,7 +34,7 @@ function js_admin_storagemanager_load_stats(div)
ajax: "stats",
screen: "Admin::StorageManager",
store: pluginid,
csrf_token: js_admin_storagemanager_get_variable( "csrf_token" )
csrf_token: get_header_variable( "csrf_token" )
}
}
);
Expand Down

0 comments on commit 95ed6be

Please sign in to comment.