improve security by keeping CSRF for every ajax request

CHANGELOG.md

@@ -29,6 +29,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 ### Fixed
 - app is now compliant to occ check-code
 - jshint and jslint in da place
+- do not put @NoCSRFRequired everywhere in controllers
 
 ## 0.0.4 – 2017-01-17
 ### Added

controller/pagecontroller.php

@@ -64,6 +64,7 @@ function globRecursive($path, $find, $recursive=True) {
  */
 function getProgramPath($progname){
     $path_ar = explode(':',getenv('path'));
+    $path_ar = array_merge($path_ar, explode(':',getenv('PATH')));
     foreach ($path_ar as $path){
         $supposed_gpath = $path.'/'.$progname;
         if (file_exists($supposed_gpath) and
@@ -223,9 +224,7 @@ class PageController extends Controller {
     }
 
     /**
-     * 
      * @NoAdminRequired
-     * @NoCSRFRequired
      */
     public function getgpx($path) {
         $userFolder = \OC::$server->getUserFolder();
@@ -264,9 +263,7 @@ class PageController extends Controller {
     }
 
     /**
-     * 
      * @NoAdminRequired
-     * @NoCSRFRequired
      */
     public function getfoldergpxs($path, $type) {
         $userFolder = \OC::$server->getUserFolder();
@@ -320,9 +317,7 @@ class PageController extends Controller {
     }
 
     /**
-     * 
      * @NoAdminRequired
-     * @NoCSRFRequired
      */
     public function savegpx($path, $content) {
         $userFolder = \OC::$server->getUserFolder();

controller/utilscontroller.php

@@ -56,6 +56,7 @@ function globRecursive($path, $find, $recursive=True) {
  */
 function getProgramPath($progname){
     $path_ar = explode(':',getenv('path'));
+    $path_ar = array_merge($path_ar, explode(':',getenv('PATH')));
     foreach ($path_ar as $path){
         $supposed_gpath = $path.'/'.$progname;
         if (file_exists($supposed_gpath) and
@@ -119,7 +120,6 @@ class UtilsController extends Controller {
     }
 
     /**
-     * @NoCSRFRequired
      */
     public function deleteExtraSymbol($name) {
 		$filename = str_replace(array('../', '..\\', '/'), '', $name);
@@ -140,7 +140,6 @@ class UtilsController extends Controller {
     }
 
     /**
-     * @NoCSRFRequired
      */
     public function uploadExtraSymbol($addExtraSymbolName) {
 		$newSymbol = $this->request->getUploadedFile('uploadsymbol');
@@ -207,7 +206,6 @@ class UtilsController extends Controller {
     /**
      * Add one tile server to the DB for current user
      * @NoAdminRequired
-     * @NoCSRFRequired
      */
     public function addTileServer($servername, $serverurl) {
         // first we check it does not already exist
@@ -255,7 +253,6 @@ class UtilsController extends Controller {
     /**
      * Delete one tile server entry from DB for current user
      * @NoAdminRequired
-     * @NoCSRFRequired
      */
     public function deleteTileServer($servername) {
         $sqldel = 'DELETE FROM *PREFIX*gpxedit_tile_servers ';
@@ -282,7 +279,6 @@ class UtilsController extends Controller {
     /**
      * Save options values to the DB for current user
      * @NoAdminRequired
-     * @NoCSRFRequired
      */
     public function saveOptionsValues($optionsValues) {
         // first we check if user already has options values in DB
@@ -333,7 +329,6 @@ class UtilsController extends Controller {
     /**
      * get options values to the DB for current user
      * @NoAdminRequired
-     * @NoCSRFRequired
      */
     public function getOptionsValues($optionsValues) {
         $sqlov = 'SELECT jsonvalues FROM *PREFIX*gpxedit_options_values ';