Merge pull request #2317 from haiwen/6.3-csrf_cookie

Use custom csrf cookie name to avoid name conflict
2025-04-27 19:05:16 +00:00 · 2018-08-30 18:52:24 +08:00 · 2018-08-30 18:52:24 +08:00 · e68193c965
commit e68193c965
parent 1b804484fd 20c33de178
9 changed files with 24 additions and 6 deletions
--- a/media/js/base.js
+++ b/media/js/base.js
@ -103,7 +103,7 @@ function addConfirmTo(op_ele, popup) {
                $('<form>', {
                    "method": 'POST',
                    "action": $(this).data('url'),
-                    "html": '<input name="csrfmiddlewaretoken" value="' + getCookie('csrftoken') + '" type="hidden">'
+                    "html": '<input name="csrfmiddlewaretoken" value="' + getCookie(SEAFILE_GLOBAL.csrfCookieName) + '" type="hidden">'
                }).appendTo(document.body).trigger('submit');
            } else { // default
                location.href = $(this).data('url');
@ -130,7 +130,7 @@ function addFormPost(op_ele) {
        $('<form>', {
            "method": 'POST',
            "action": $(this).data('url'),
-            "html": '<input name="csrfmiddlewaretoken" value="' + getCookie('csrftoken') + '" type="hidden">'
+            "html": '<input name="csrfmiddlewaretoken" value="' + getCookie(SEAFILE_GLOBAL.csrfCookieName) + '" type="hidden">'
        }).appendTo(document.body).trigger('submit');
        return false;
    });
@ -223,7 +223,7 @@ function getCookie(name) {
 function prepareCSRFToken(xhr, settings) {
    if (!(/^http:.*/.test(settings.url) || /^https:.*/.test(settings.url))) {
        // Only send the token to relative URLs i.e. locally.
-        xhr.setRequestHeader("X-CSRFToken", getCookie('csrftoken'));
+        xhr.setRequestHeader("X-CSRFToken", getCookie(SEAFILE_GLOBAL.csrfCookieName));
    }
 }

--- a/seahub/base/context_processors.py
+++ b/seahub/base/context_processors.py
@ -108,6 +108,7 @@ def base(request):
        'multi_institution': getattr(dj_settings, 'MULTI_INSTITUTION', False),
        'search_repo_id': search_repo_id,
        'SITE_ROOT': SITE_ROOT,
+        'CSRF_COOKIE_NAME': dj_settings.CSRF_COOKIE_NAME,
        'constance_enabled': dj_settings.CONSTANCE_ENABLED,
        'FILE_SERVER_ROOT': file_server_root,
        'LOGIN_URL': dj_settings.LOGIN_URL,
--- a/seahub/settings.py
+++ b/seahub/settings.py
@ -130,6 +130,7 @@ MIDDLEWARE_CLASSES = (
 SITE_ROOT_URLCONF = 'seahub.urls'
 ROOT_URLCONF = 'seahub.utils.rooturl'
 SITE_ROOT = '/'
+CSRF_COOKIE_NAME = 'sfcsrftoken'

 # Python dotted path to the WSGI application used by Django's runserver.
 WSGI_APPLICATION = 'seahub.wsgi.application'
--- a/seahub/templates/base.html
+++ b/seahub/templates/base.html
@ -128,7 +128,11 @@
            <button class="simplemodal-close">{% trans "No" %}</button>
        </div>
 </div><!-- wrapper -->
-
+<script type="text/javascript">
+var SEAFILE_GLOBAL = {
+    csrfCookieName: '{{ CSRF_COOKIE_NAME }}'
+};
+</script>
 <script type="text/javascript" src="{% static "scripts/lib/jquery.min.js" %}" id="jquery"></script>{# 'id="jquery"' is for pdf file view with pdf2html #}
 <script type="text/javascript" src="{% static "scripts/lib/jquery.simplemodal.js" %}"></script>
 <script type="text/javascript" src="{% static "scripts/lib/jstree.min.js" %}"></script>
--- a/seahub/templates/base_for_backbone.html
+++ b/seahub/templates/base_for_backbone.html
@ -120,6 +120,7 @@ var app = {
        mediaUrl: '{{ MEDIA_URL }}',
        siteRoot: '{{ SITE_ROOT }}',
        loginUrl: '{{ LOGIN_URL }}',
+        csrfCookieName: '{{ CSRF_COOKIE_NAME }}',
        fileServerRoot: '{{ FILE_SERVER_ROOT }}'
    }
 };
--- a/seahub/templates/sysadmin/sysadmin_backbone.html
+++ b/seahub/templates/sysadmin/sysadmin_backbone.html
@ -79,7 +79,8 @@ var app = {
    config: {
        mediaUrl: '{{ MEDIA_URL }}',
        siteRoot: '{{ SITE_ROOT }}',
-        loginUrl: '{{ LOGIN_URL }}'
+        loginUrl: '{{ LOGIN_URL }}',
+        csrfCookieName: '{{ CSRF_COOKIE_NAME }}'
    }
 };
 app["pageOptions"] = {
--- a/seahub/templates/view_file_onlyoffice.html
+++ b/seahub/templates/view_file_onlyoffice.html
@ -15,6 +15,11 @@ html, body { padding:0; margin:0; height:100%; }
 <div id="placeholder"></div>

 {% get_current_language as LANGUAGE_CODE %}
+<script type="text/javascript">
+var SEAFILE_GLOBAL = {
+    csrfCookieName: '{{ CSRF_COOKIE_NAME }}'
+};
+</script>
 <script type="text/javascript" src="{% static "scripts/lib/jquery.min.js" %}"></script>
 <script type="text/javascript" src="{{ MEDIA_URL }}js/jq.min.js"></script>
 <script type="text/javascript" src="{{ MEDIA_URL }}js/base.js"></script>
--- a/seahub/templates/view_file_wopi.html
+++ b/seahub/templates/view_file_wopi.html
@ -38,6 +38,11 @@

 <iframe id="office_frame" name="office_frame" class="hide" allowfullscreen ></iframe>

+<script type="text/javascript">
+var SEAFILE_GLOBAL = {
+    csrfCookieName: '{{ CSRF_COOKIE_NAME }}'
+};
+</script>
 <script type="text/javascript" src="{% static "scripts/lib/jquery.min.js" %}"></script>
 <script type="text/javascript" src="{{ MEDIA_URL }}js/jq.min.js"></script>
 <script type="text/javascript" src="{{ MEDIA_URL }}js/base.js"></script>
--- a/static/scripts/common.js
+++ b/static/scripts/common.js
@ -530,7 +530,7 @@ define([
            }
            if (!(/^http:.*/.test(settings.url) || /^https:.*/.test(settings.url))) {
                // Only send the token to relative URLs i.e. locally.
-                xhr.setRequestHeader("X-CSRFToken", getCookie('csrftoken'));
+                xhr.setRequestHeader("X-CSRFToken", getCookie(app.config.csrfCookieName));
            }
        },