admin/Facilitor
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

FSN#39957 API2 bestand tegen CSRF misbruik

Browse Source 
svn path=/Website/trunk/; revision=33222
This commit is contained in:
Jos Groot Lipman
2017-03-22 22:48:45 +00:00
parent 369e8ea84a
commit 014159fde8
3 changed files with 14 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
APPL/API2/TESTER/api2_tester.asp
View File

@@ -25,6 +25,7 @@ var fac_id = Request.QueryString("fac_id").Count > 0&&String(Request.QueryString
$(doInit);
$(doBuild);
});
var RVT_token = "<%=safe.jsstring(protectRequest.theToken())%>";
</script>
<style>
pre { font-size: 1.2em;
@@ -52,7 +53,8 @@ var fac_id = Request.QueryString("fac_id").Count > 0&&String(Request.QueryString
</tr>
<tr><td><label>APIKEY</label></td>
<td><input id="apikey" type="text" style="width:250px" value="APIPFO">&nbsp;
<% if (user_key > 0) { %>
<%
if (user_key > 0) { %>
Herkend als: <%= safe.html(user.oslogin()) %>
<% } %>
</td>

4
APPL/API2/TESTER/tester.js
View File

@@ -40,7 +40,9 @@ function doSubmit()
tm = new Date;
$.ajax(url, { type: method,
data: data,
headers: { "X-FACILITOR-API-Key": apikey }
headers: { "X-FACILITOR-API-Key": apikey,
"X-CSRF-TOKEN": RVT_token
}
// dan werkt de header niet dataType: "jsonp"
}
).done(callbackDone).fail(callbackFail);

8
APPL/API2/api2_rest.inc
View File

@@ -26,6 +26,14 @@ api2_rest = {
if (!APIKEY && Session("user_key") > 0)
{
user_key = Session("user_key"); // Hierdoor is de API intern te gebruiken zonder authenticatie
var method = String(Request.ServerVariables("REQUEST_METHOD"));
if (method != "GET") // Vereis dan wel het CSRF token
{
var token = Request.ServerVariables("HTTP_X_CSRF_TOKEN").Count // Meegegeven als X-CSRF-TOKEN
? String(Request.ServerVariables("HTTP_X_CSRF_TOKEN"))
: "";
protectRequest.validateToken(token);
}
}
else
{