improve security by keeping CSRF for every ajax request

merge-requests/1/head
Julien Veyssier 2017-03-29 21:47:55 -03:00
parent 9b8b9aa44c
commit e73789d211
3 changed files with 3 additions and 12 deletions

View File

@ -29,6 +29,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
### Fixed ### Fixed
- app is now compliant to occ check-code - app is now compliant to occ check-code
- jshint and jslint in da place - jshint and jslint in da place
- do not put @NoCSRFRequired everywhere in controllers
## 0.0.4 2017-01-17 ## 0.0.4 2017-01-17
### Added ### Added

View File

@ -64,6 +64,7 @@ function globRecursive($path, $find, $recursive=True) {
*/ */
function getProgramPath($progname){ function getProgramPath($progname){
$path_ar = explode(':',getenv('path')); $path_ar = explode(':',getenv('path'));
$path_ar = array_merge($path_ar, explode(':',getenv('PATH')));
foreach ($path_ar as $path){ foreach ($path_ar as $path){
$supposed_gpath = $path.'/'.$progname; $supposed_gpath = $path.'/'.$progname;
if (file_exists($supposed_gpath) and if (file_exists($supposed_gpath) and
@ -223,9 +224,7 @@ class PageController extends Controller {
} }
/** /**
*
* @NoAdminRequired * @NoAdminRequired
* @NoCSRFRequired
*/ */
public function getgpx($path) { public function getgpx($path) {
$userFolder = \OC::$server->getUserFolder(); $userFolder = \OC::$server->getUserFolder();
@ -264,9 +263,7 @@ class PageController extends Controller {
} }
/** /**
*
* @NoAdminRequired * @NoAdminRequired
* @NoCSRFRequired
*/ */
public function getfoldergpxs($path, $type) { public function getfoldergpxs($path, $type) {
$userFolder = \OC::$server->getUserFolder(); $userFolder = \OC::$server->getUserFolder();
@ -320,9 +317,7 @@ class PageController extends Controller {
} }
/** /**
*
* @NoAdminRequired * @NoAdminRequired
* @NoCSRFRequired
*/ */
public function savegpx($path, $content) { public function savegpx($path, $content) {
$userFolder = \OC::$server->getUserFolder(); $userFolder = \OC::$server->getUserFolder();

View File

@ -56,6 +56,7 @@ function globRecursive($path, $find, $recursive=True) {
*/ */
function getProgramPath($progname){ function getProgramPath($progname){
$path_ar = explode(':',getenv('path')); $path_ar = explode(':',getenv('path'));
$path_ar = array_merge($path_ar, explode(':',getenv('PATH')));
foreach ($path_ar as $path){ foreach ($path_ar as $path){
$supposed_gpath = $path.'/'.$progname; $supposed_gpath = $path.'/'.$progname;
if (file_exists($supposed_gpath) and if (file_exists($supposed_gpath) and
@ -119,7 +120,6 @@ class UtilsController extends Controller {
} }
/** /**
* @NoCSRFRequired
*/ */
public function deleteExtraSymbol($name) { public function deleteExtraSymbol($name) {
$filename = str_replace(array('../', '..\\', '/'), '', $name); $filename = str_replace(array('../', '..\\', '/'), '', $name);
@ -140,7 +140,6 @@ class UtilsController extends Controller {
} }
/** /**
* @NoCSRFRequired
*/ */
public function uploadExtraSymbol($addExtraSymbolName) { public function uploadExtraSymbol($addExtraSymbolName) {
$newSymbol = $this->request->getUploadedFile('uploadsymbol'); $newSymbol = $this->request->getUploadedFile('uploadsymbol');
@ -207,7 +206,6 @@ class UtilsController extends Controller {
/** /**
* Add one tile server to the DB for current user * Add one tile server to the DB for current user
* @NoAdminRequired * @NoAdminRequired
* @NoCSRFRequired
*/ */
public function addTileServer($servername, $serverurl) { public function addTileServer($servername, $serverurl) {
// first we check it does not already exist // first we check it does not already exist
@ -255,7 +253,6 @@ class UtilsController extends Controller {
/** /**
* Delete one tile server entry from DB for current user * Delete one tile server entry from DB for current user
* @NoAdminRequired * @NoAdminRequired
* @NoCSRFRequired
*/ */
public function deleteTileServer($servername) { public function deleteTileServer($servername) {
$sqldel = 'DELETE FROM *PREFIX*gpxedit_tile_servers '; $sqldel = 'DELETE FROM *PREFIX*gpxedit_tile_servers ';
@ -282,7 +279,6 @@ class UtilsController extends Controller {
/** /**
* Save options values to the DB for current user * Save options values to the DB for current user
* @NoAdminRequired * @NoAdminRequired
* @NoCSRFRequired
*/ */
public function saveOptionsValues($optionsValues) { public function saveOptionsValues($optionsValues) {
// first we check if user already has options values in DB // first we check if user already has options values in DB
@ -333,7 +329,6 @@ class UtilsController extends Controller {
/** /**
* get options values to the DB for current user * get options values to the DB for current user
* @NoAdminRequired * @NoAdminRequired
* @NoCSRFRequired
*/ */
public function getOptionsValues($optionsValues) { public function getOptionsValues($optionsValues) {
$sqlov = 'SELECT jsonvalues FROM *PREFIX*gpxedit_options_values '; $sqlov = 'SELECT jsonvalues FROM *PREFIX*gpxedit_options_values ';