Add missing CSRF check.

diff --git a/apps/contacts/ajax/uploadimport.php b/apps/contacts/ajax/uploadimport.php
index c1e9c8b1ad15e7e4ae6fed34f2374f79d33d4bfa..9511520828f032e392faabcfc3517e27c2715cca 100644 (file)
--- a/apps/contacts/ajax/uploadimport.php
+++ b/apps/contacts/ajax/uploadimport.php
@@ -23,6 +23,7 @@
 // Check if we are a user
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('contacts');
+OCP\JSON::callCheck();
 require_once('loghandler.php');
 
 $view = OCP\Files::getStorage('contacts');

diff --git a/apps/contacts/js/contacts.js b/apps/contacts/js/contacts.js
index d4b3ef588ba38bcbf6f62a835eb34e9809312a08..25fc122bf30ad45cf5d25cfd76b84c1b1913f07b 100644 (file)
--- a/apps/contacts/js/contacts.js
+++ b/apps/contacts/js/contacts.js
@@ -1465,7 +1465,7 @@ Contacts={
                                                        }
                                                }
                                        };
-                                       xhr.open('POST', OC.filePath('contacts', 'ajax', 'uploadimport.php') + '?file='+encodeURIComponent(file.name), true);
+                                       xhr.open('POST', OC.filePath('contacts', 'ajax', 'uploadimport.php') + '?file='+encodeURIComponent(file.name)+'&requesttoken='+requesttoken, true);
                                        xhr.setRequestHeader('Cache-Control', 'no-cache');
                                        xhr.setRequestHeader('X-Requested-With', 'XMLHttpRequest');
                                        xhr.setRequestHeader('X_FILE_NAME', encodeURIComponent(file.name));