Postal/snappymail
1
0
Fork 0
mirror of https://github.com/the-djmaze/snappymail.git synced 2026-06-28 06:46:27 +00:00
Code Issues Packages Projects Releases Wiki Activity

Also protect GET requests with token for #892

Browse Source
This commit is contained in:
the-djmaze
2023-01-31 11:30:24 +01:00
parent b1c9bebce6
commit d7b5f3f4db
2 changed files with 9 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
dev/bootstrap.js vendored
View File

@@ -60,7 +60,8 @@ export default App => {
postData.XToken = Settings.app('token');
init.body = JSON.stringify(postData);
}
init.headers['X-SM-Token'] = Settings.app('token');
// init.headers = new Headers(init.headers);
return fetch(resource, init);
};

8
snappymail/v/0.0.0/app/libraries/RainLoop/ServiceActions.php
View File

@@ -92,7 +92,13 @@ class ServiceActions
throw new Exceptions\ClientException(Notifications::InvalidInputArgument, null, 'Action unknown');
}
if ($this->oHttp->IsPost() && ($_POST['XToken'] ?? '') !== Utils::GetCsrfToken()) {
$xtoken = $token = Utils::GetCsrfToken();
if (isset($_SERVER['HTTP_X_SM_TOKEN'])) {
$xtoken = $_SERVER['HTTP_X_SM_TOKEN'];
} else if ($this->oHttp->IsPost()) {
$xtoken = $_POST['XToken'] ?? '';
}
if ($xtoken !== $token) {
throw new Exceptions\ClientException(Notifications::InvalidToken, null, 'Token mismatch');
}