diff options
| author | Thomas Müller <thomas.mueller@tmit.eu> | 2013-07-11 00:00:01 +0200 |
|---|---|---|
| committer | Thomas Müller <thomas.mueller@tmit.eu> | 2013-07-11 00:00:01 +0200 |
| commit | 5e29f7d3246f748cc90e472711664e65c0e573f2 (patch) | |
| tree | e1b3c2a308ed405f3b5bcf03ad4cef70c9b76d71 | |
| parent | 7d7b7e6e63a15a2e41aa4d17e780121e6c5b426c (diff) | |
| download | nextcloud-server-5e29f7d3246f748cc90e472711664e65c0e573f2.tar.gz nextcloud-server-5e29f7d3246f748cc90e472711664e65c0e573f2.zip | |
- eventsource.php: in case of potential CSRF attack we send an error message from the EventSource to the browser
- eventsource.js: handle undefined data on event
- update.js: in case of error we close the event source - advise the user to reload the page
- update.php: EventSource initialization is now done before we enter the maintenance mode in order to allow browser reload in case of possible CSRF attack
| -rw-r--r-- | core/js/eventsource.js | 6 | ||||
| -rw-r--r-- | core/js/update.js | 5 | ||||
| -rw-r--r-- | lib/eventsource.php | 9 |
3 files changed, 14 insertions, 6 deletions
diff --git a/core/js/eventsource.js b/core/js/eventsource.js index ce8c8387c8e..536b180bc8f 100644 --- a/core/js/eventsource.js +++ b/core/js/eventsource.js @@ -110,7 +110,11 @@ OC.EventSource.prototype={ this.listeners[type].push(callback); }else{ this.source.addEventListener(type,function(e){ - callback(JSON.parse(e.data)); + if (typeof e.data != 'undefined') { + callback(JSON.parse(e.data)); + } else { + callback(''); + } },false); } }else{ diff --git a/core/js/update.js b/core/js/update.js index 8ab02bbf935..2c28e72f7cd 100644 --- a/core/js/update.js +++ b/core/js/update.js @@ -5,6 +5,9 @@ $(document).ready(function () { }); updateEventSource.listen('error', function(message) { $('<span>').addClass('error').append(message).append('<br />').appendTo($('.update')); + message = 'Please reload the page.'; + $('<span>').addClass('error').append(message).append('<br />').appendTo($('.update')); + updateEventSource.close(); }); updateEventSource.listen('failure', function(message) { $('<span>').addClass('error').append(message).append('<br />').appendTo($('.update')); @@ -20,4 +23,4 @@ $(document).ready(function () { window.location.href = OC.webroot; }, 3000); }); -});
\ No newline at end of file +}); diff --git a/lib/eventsource.php b/lib/eventsource.php index 63f19792529..31d6edc1874 100644 --- a/lib/eventsource.php +++ b/lib/eventsource.php @@ -25,7 +25,7 @@ * wrapper for server side events (http://en.wikipedia.org/wiki/Server-sent_events) * includes a fallback for older browsers and IE * - * use server side events with causion, to many open requests can hang the server + * use server side events with caution, to many open requests can hang the server */ class OC_EventSource{ private $fallback; @@ -43,6 +43,7 @@ class OC_EventSource{ header("Content-Type: text/event-stream"); } if( !OC_Util::isCallRegistered()) { + $this->send('error', 'Possible CSRF attack. Connection will be closed.'); exit(); } flush(); @@ -51,10 +52,10 @@ class OC_EventSource{ /** * send a message to the client - * @param string type - * @param object data + * @param string $type + * @param object $data * - * if only one paramater is given, a typeless message will be send with that paramater as data + * if only one parameter is given, a typeless message will be send with that parameter as data */ public function send($type, $data=null) { if(is_null($data)) { |