Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: csrf check failed on public share with password #44369

Merged

Conversation

luka-nextcloud
Copy link
Contributor

@luka-nextcloud luka-nextcloud commented Mar 20, 2024

Summary

"CSRF check failed" on public share with password

TODO

  • ...

Checklist

@luka-nextcloud luka-nextcloud self-assigned this Mar 20, 2024
@solracsf solracsf added this to the Nextcloud 29 milestone Mar 21, 2024
@solracsf solracsf added the 3. to review Waiting for reviews label Mar 21, 2024
@Altahrim Altahrim mentioned this pull request Mar 21, 2024
Comment on lines 57 to 69
document.addEventListener('DOMContentLoaded', function() {
var form = document.getElementById('password-input-form');
if (form) {
form.addEventListener('submit', async function(event) {
event.preventDefault();
var requestToken = document.getElementById('requesttoken');
if (requestToken) {
requestToken.value = await OC.fetchRequestToken();
}
form.submit();
});
}
});
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

would it be possible to move this into a "modern" js module that goes through webpack? then you can import @nextcloud/router directly and we avoid adding a new property to the dated OC global

@ChristophWurst ChristophWurst requested review from a team, Pytal, szaimen and emoral435 and removed request for a team March 21, 2024 18:09
@Altahrim Altahrim mentioned this pull request Mar 25, 2024
Comment on lines +63 to +67
if (requestToken) {
const url = generateUrl('/csrftoken')
const resp = await Axios.get(url)
requestToken.value = resp.data.token
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could use grab the currently known CSRF token from @nextcloud/auth to avoid the additional request?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR is for solving issue that the currently known CSRF token might not be the latest.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is an existing CSRF token update mechanism that pulls a fresh token every 30 seconds. Is that not sufficient?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it is not sufficient. User might submit form during the gap time and see the CSRF failed error randomly.

Copy link
Contributor

@emoral435 emoral435 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks like a valid solution to me - however, haven't tested it fully

@skjnldsv skjnldsv mentioned this pull request Mar 28, 2024
81 tasks
Signed-off-by: Luka Trovic <luka@nextcloud.com>
Signed-off-by: Luka Trovic <luka@nextcloud.com>
Signed-off-by: Luka Trovic <luka@nextcloud.com>
@luka-nextcloud luka-nextcloud force-pushed the bugfix/csrf-failed-on-public-share-with-password branch from 6d5b7ea to a42c68d Compare March 29, 2024 08:51
@juliusknorr juliusknorr merged commit 31c6379 into master Apr 2, 2024
166 of 168 checks passed
@juliusknorr juliusknorr deleted the bugfix/csrf-failed-on-public-share-with-password branch April 2, 2024 07:59
@luka-nextcloud
Copy link
Contributor Author

@juliushaertl @ChristophWurst @Altahrim This PR was missed from the release.

@luka-nextcloud
Copy link
Contributor Author

/backport to stable29

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Archived in project
Development

Successfully merging this pull request may close these issues.

[Bug]: CSRF check failed on public share with password
6 participants