CSRF protection for eventsource

4 files changed, 7 insertions, 0 deletions

diff --git a/apps/files/ajax/newfile.php b/apps/files/ajax/newfile.php
index de054d9ce0c..cc9208ad08f 100644
--- a/apps/files/ajax/newfile.php
+++ b/apps/files/ajax/newfile.php
@@ -17,6 +17,8 @@ $source = isset( $_REQUEST['source'] ) ? stripslashes($_REQUEST['source']) : '';
 
 if($source){
 	$eventSource=new OC_EventSource();
+}else{
+	OC_JSON::callCheck();
 }
 
 if($filename == '') {
diff --git a/core/js/eventsource.js b/core/js/eventsource.js
index 08259e02cae..e3ad7e3a671 100644
--- a/core/js/eventsource.js
+++ b/core/js/eventsource.js
@@ -40,6 +40,7 @@ OC.EventSource=function(src,data){
 			dataStr+=name+'='+encodeURIComponent(data[name])+'&';
 		}
 	}
+	dataStr+='requesttoken='+OC.EventSource.requesttoken;
 	if(!this.useFallBack && typeof EventSource !='undefined'){
 		this.source=new EventSource(src+'?'+dataStr);
 		this.source.onmessage=function(e){
diff --git a/core/templates/layout.user.php b/core/templates/layout.user.php
index 7e98fdedc2d..dc303ffc1a7 100644
--- a/core/templates/layout.user.php
+++ b/core/templates/layout.user.php
@@ -33,6 +33,7 @@
 		<script type="text/javascript">
 			$(function() {
 				requesttoken = '<?php echo $_['requesttoken']; ?>';
+				OC.EventSource.requesttoken=requesttoken;
 				$(document).bind('ajaxSend', function(elm, xhr, s){
 					if(requesttoken) {
 						xhr.setRequestHeader('requesttoken', requesttoken);
diff --git a/lib/eventsource.php b/lib/eventsource.php
index 2a8c6b92902..95af2e471bc 100644
--- a/lib/eventsource.php
+++ b/lib/eventsource.php
@@ -42,6 +42,9 @@ class OC_EventSource{
 		}else{
 			header("Content-Type: text/event-stream");
 		}
+		if( !OC_Util::isCallRegistered()){
+			exit();
+		}
 		flush();
 
 	}