Skip to content

Commit

Permalink
check CSRF token enabling/disabling extensions. fixes #3559
Browse files Browse the repository at this point in the history
  • Loading branch information
@splitbrain
splitbrain committed Dec 8, 2021
1 parent b43eead commit 96f679f
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 5 deletions.
7 changes: 6 additions & 1 deletion lib/plugins/extension/action.php
View file
Expand Up @@ -57,8 +57,13 @@ public function info(Doku_Event $event, $param)
switch ($act) {
case 'enable':
case 'disable':
$extension->$act(); //enables/disables
if(getSecurityToken() != $INPUT->str('sectok')) {
http_status(403);
echo 'Security Token did not match. Possible CSRF attack.';
return;
}

$extension->$act(); //enables/disables
$reverse = ($act == 'disable') ? 'enable' : 'disable';

$return = array(
Expand Down
12 changes: 8 additions & 4 deletions lib/plugins/extension/script.js
View file
Expand Up @@ -64,8 +64,9 @@ jQuery(function(){
DOKU_BASE + 'lib/exe/ajax.php',
{
call: 'plugin_extension',
ext: extension,
act: act
ext: extension,
act: act,
sectok: $btn.parents('form').find('input[name=sectok]').val()
},
function (data) {
$btn.css('cursor', '')
Expand All @@ -74,12 +75,15 @@ jQuery(function(){
.removeClass('enable')
.text(data.label)
.addClass(data.reverse)
.parents('li')
.parents('li')
.removeClass('disabled')
.removeClass('enabled')
.addClass(data.state);
}
);
).fail(function() {
$btn.css('cursor', '')
.removeAttr('disabled');
});
});

/**
Expand Down

0 comments on commit 96f679f

Please sign in to comment.