composer/iTop
6
0
Fork 0
mirror of https://github.com/Combodo/iTop.git synced 2026-02-13 07:24:13 +01:00
Code Issues Packages Projects Releases Wiki Activity

N°7556 - Cross-Site Request Forgery (CSRF) protection

Browse Source
This commit is contained in:
Eric Espie
2024-06-05 17:38:51 +02:00
parent 07702379c3
commit bbebca7951
3 changed files with 32 additions and 235 deletions
Download Patch File Download Diff File Expand all files Collapse all files

205
js/ajaxfileupload.js
View File

@@ -1,205 +0,0 @@
jQuery.extend(
{
createUploadIframe: function(id, uri)
{
//create frame
var frameId = 'jUploadFrame' + id;
var iframeHtml = '<iframe id="' + frameId + '" name="' + frameId + '" style="position:absolute; top:-9999px; left:-9999px"';
if(window.ActiveXObject)
{
if(typeof uri== 'boolean')
{
iframeHtml += ' src="' + 'javascript:false' + '"';
}
else if(typeof uri== 'string')
{
iframeHtml += ' src="' + uri + '"';
}
}
iframeHtml += ' />';
jQuery(iframeHtml).appendTo(document.body);
return jQuery('#' + frameId).get(0);
},
createUploadForm: function(id, fileElementId)
{
//create form
var formId = 'jUploadForm' + id;
var fileId = 'jUploadFile' + id;
var form = jQuery('<form action="" method="POST" name="' + formId + '" id="' + formId + '" enctype="multipart/form-data"></form>');
var oldElement = jQuery('#' + fileElementId);
var newElement = jQuery(oldElement).clone();
jQuery(oldElement).attr('id', fileId);
jQuery(oldElement).before(newElement);
jQuery(oldElement).appendTo(form);
//set attributes
jQuery(form).css('position', 'absolute');
jQuery(form).css('top', '-1200px');
jQuery(form).css('left', '-1200px');
jQuery(form).appendTo('body');
return form;
},
ajaxFileUpload: function(s) {
// TODO introduce global settings, allowing the client to modify them for all requests, not only timeout
s = jQuery.extend({}, jQuery.ajaxSettings, s);
var id = new Date().getTime();
var form = jQuery.createUploadForm(id, s.fileElementId);
var io = jQuery.createUploadIframe(id, s.secureuri);
var frameId = 'jUploadFrame' + id;
var formId = 'jUploadForm' + id;
// Watch for a new set of requests
if ( s.global && ! jQuery.active++ )
{
jQuery.event.trigger( "ajaxStart" );
}
var requestDone = false;
// Create the request object
var xml = {};
if ( s.global )
jQuery.event.trigger("ajaxSend", [xml, s]);
// Wait for a response to come back
var uploadCallback = function(isTimeout)
{
var io = document.getElementById(frameId);
try
{
if(io.contentWindow)
{
xml.responseText = io.contentWindow.document.body?io.contentWindow.document.body.innerHTML:null;
xml.responseXML = io.contentWindow.document.XMLDocument?io.contentWindow.document.XMLDocument:io.contentWindow.document;
}else if(io.contentDocument)
{
xml.responseText = io.contentDocument.document.body?io.contentDocument.document.body.innerHTML:null;
xml.responseXML = io.contentDocument.document.XMLDocument?io.contentDocument.document.XMLDocument:io.contentDocument.document;
}
}
catch(e)
{
jQuery.handleError(s, xml, null, e);
}
if ( xml || isTimeout == "timeout")
{
requestDone = true;
var status;
try {
status = isTimeout != "timeout" ? "success" : "error";
// Make sure that the request was successful or notmodified
if ( status != "error" )
{
// process the data (runs the xml through httpData regardless of callback)
var data = jQuery.uploadHttpData( xml, s.dataType );
// If a local callback was specified, fire it and pass it the data
if ( s.success )
s.success( data, status );
// Fire the global callback
if( s.global )
jQuery.event.trigger( "ajaxSuccess", [xml, s] );
} else
jQuery.handleError(s, xml, status);
} catch(e)
{
status = "error";
jQuery.handleError(s, xml, status, e);
}
// The request was completed
if( s.global )
jQuery.event.trigger( "ajaxComplete", [xml, s] );
// Handle the global AJAX counter
if ( s.global && ! --jQuery.active )
jQuery.event.trigger( "ajaxStop" );
// Process result
if ( s.complete )
s.complete(xml, status);
jQuery(io).unbind();
setTimeout(function()
{ try
{
jQuery(io).remove();
jQuery(form).remove();
} catch(e)
{
jQuery.handleError(s, xml, null, e);
}
}, 100);
xml = null;
}
};
// Timeout checker
if ( s.timeout > 0 )
{
setTimeout(function(){
// Check to see if the request is still happening
if( !requestDone ) uploadCallback( "timeout" );
}, s.timeout);
}
try
{
var form = jQuery('#' + formId);
jQuery(form).attr('action', s.url);
jQuery(form).attr('method', 'POST');
jQuery(form).attr('target', frameId);
if(form.encoding)
{
jQuery(form).attr('encoding', 'multipart/form-data');
}
else
{
jQuery(form).attr('enctype', 'multipart/form-data');
}
jQuery(form).submit();
} catch(e)
{
jQuery.handleError(s, xml, null, e);
}
jQuery('#' + frameId).load(uploadCallback );
return {abort: function () {}};
},
uploadHttpData: function( r, type ) {
var data = !type;
data = type == "xml" || data ? r.responseXML : r.responseText;
// If the type is "script", eval it in global context
if ( type == "script" )
jQuery.globalEval( data );
// Get the JavaScript object, if JSON is used.
if ( type == "json" )
eval( "data = " + data );
// evaluate scripts within html
if ( type == "html" )
jQuery("<div>").html(data).evalScripts();
return data;
}
});
// handleError is deprecated since jQuery 1.5 !!
jQuery.extend({
handleError: function( s, xhr, status, e ) {
// If a local callback was specified, fire it
if ( s.error )
s.error( xhr, status, e );
// If we have some XML response text (e.g. from an AJAX call) then log it in the console
else if(xhr.responseText)
{
//console.log(xhr.responseText);
}
}
});

61
js/icon_select.js
View File

@@ -215,7 +215,7 @@ $(function()
var me = this;
this.oUploadDlg = $('<div><p>'+this.options.labels['pick_icon_file']+'</p><p><input type="file" accept="image/*" name="file" id="file"/></p></div>');
this.element.after(this.oUploadDlg);
$('input[type=file]').on('change', function() { me._do_upload(); });
$('input[type=file]').on('change', function(event) { me._do_upload(event); });
this.oUploadDlg.dialog({
width: 400,
modal: true,
@@ -234,7 +234,7 @@ $(function()
this.oUploadDlg.remove();
this.oUploadDlg = null;
},
_do_upload: function()
_do_upload: function(event)
{
var me = this;
var $element = this.oUploadDlg.find('#file');
@@ -243,23 +243,34 @@ $(function()
{
ReplaceWithAnimation($element);
}
$.ajaxFileUpload
(
{
url: this.options.post_upload_to,
secureuri:false,
fileElementId:'file',
dataType: 'json',
success: function (data, status)
{
me._on_upload_complete(data);
},
error: function (data, status, e)
{
me._on_upload_error(data, status, e);
var file = event.target.files[0];
var formData = new FormData();
formData.append('file', file);
fetch(this.options.post_upload_to, {
method: 'POST',
headers: {
'X-Combodo-Ajax': true
},
body: formData
})
.then(response => {
if (response.ok) {
return response.json();
}
}
);
return response.text().then(text => Promise.reject({text, response}));
})
.then(data => {
// Handle the response data here
me._on_upload_complete(data);
})
.catch(error => {
let error_details = error.text === '' ? '' : ' (' + error.text + ')';
// Handle the error here
me._on_upload_error('Error: ' + error.response.status + ' ' + error.response.statusText + error_details);
});
},
_on_upload_complete: function(data)
{
@@ -278,18 +289,10 @@ $(function()
this.element.trigger('change');
this.oUploadDlg.dialog('close');
},
_on_upload_error: function(data, status, e)
_on_upload_error: function(e)
{
if (data.responseText.indexOf('login-body') !== -1) {
alert('Sorry, your session has expired. In order to continue, the whole page has to be loaded again.');
this.oUploadDlg.dialog('close');
} else if (data.responseText.length > 0) {
alert(data.responseText);
this.oUploadDlg.dialog('close');
} else {
alert(e);
this.oUploadDlg.closest('.ui-dialog').find('.ui-button').button('enable');
}
alert(e);
this.oUploadDlg.closest('.ui-dialog').find('.ui-button').button('enable');
}
});
});

1
sources/Application/WebPage/iTopWebPage.php
View File

@@ -214,7 +214,6 @@ class iTopWebPage extends NiceWebPage implements iTabbedPage
// Used by dashboard editor
$this->LinkScriptFromAppRoot('js/property_field.js');
$this->LinkScriptFromAppRoot('js/icon_select.js');
$this->LinkScriptFromAppRoot('js/ajaxfileupload.js');
}
/**