- eventsource.php: in case of potential CSRF attack we send an error message from...

- eventsource.js: handle undefined data on event
- update.js: in case of error we close the event source - advise the user to reload the page
- update.php: EventSource initialization is now done before we enter the maintenance mode in order to allow browser reload in case of possible CSRF attack

diff --git a/core/js/eventsource.js b/core/js/eventsource.js
index ce8c8387c8efef5eab85542807ca2993a0a998a2..536b180bc8f9d5ca989a864d21cc2304ca72e462 100644 (file)
--- a/core/js/eventsource.js
+++ b/core/js/eventsource.js
@@ -110,7 +110,11 @@ OC.EventSource.prototype={
                                        this.listeners[type].push(callback);
                                }else{
                                        this.source.addEventListener(type,function(e){
-                                               callback(JSON.parse(e.data));
+                                               if (typeof e.data != 'undefined') {
+                                                       callback(JSON.parse(e.data));
+                                               } else {
+                                                       callback('');
+                                               }
                                        },false);
                                }
                        }else{

diff --git a/core/js/update.js b/core/js/update.js
index 8ab02bbf9350c3bdeb594a49561c6ae6499b34c2..2c28e72f7cd8404e224d1567515d8cbef00533eb 100644 (file)
--- a/core/js/update.js
+++ b/core/js/update.js
@@ -5,6 +5,9 @@ $(document).ready(function () {
        });
        updateEventSource.listen('error', function(message) {
                $('<span>').addClass('error').append(message).append('<br />').appendTo($('.update'));
+               message = 'Please reload the page.';
+               $('<span>').addClass('error').append(message).append('<br />').appendTo($('.update'));
+               updateEventSource.close();
        });
        updateEventSource.listen('failure', function(message) {
                $('<span>').addClass('error').append(message).append('<br />').appendTo($('.update'));
@@ -20,4 +23,4 @@ $(document).ready(function () {
                        window.location.href = OC.webroot;
                }, 3000);
        });
-});
\ No newline at end of file
+});

diff --git a/lib/eventsource.php b/lib/eventsource.php
index 63f197925293d97a6ae5bba8bbc605bb08b6b435..31d6edc1874cbd44f94a152a76f917c19eb01783 100644 (file)
--- a/lib/eventsource.php
+++ b/lib/eventsource.php
@@ -25,7 +25,7 @@
  * wrapper for server side events (http://en.wikipedia.org/wiki/Server-sent_events)
  * includes a fallback for older browsers and IE
  *
- * use server side events with causion, to many open requests can hang the server
+ * use server side events with caution, to many open requests can hang the server
  */
 class OC_EventSource{
        private $fallback;
@@ -43,6 +43,7 @@ class OC_EventSource{
                        header("Content-Type: text/event-stream");
                }
                if( !OC_Util::isCallRegistered()) {
+                       $this->send('error', 'Possible CSRF attack. Connection will be closed.');
                        exit();
                }
                flush();
@@ -51,10 +52,10 @@ class OC_EventSource{
 
        /**
         * send a message to the client
-        * @param string type
-        * @param object data
+        * @param string $type
+        * @param object $data
         *
-        * if only one paramater is given, a typeless message will be send with that paramater as data
+        * if only one parameter is given, a typeless message will be send with that parameter as data
         */
        public function send($type, $data=null) {
                if(is_null($data)) {