diff options
| author | Morris Jobke <hey@morrisjobke.de> | 2018-11-27 10:32:48 +0100 |
|---|---|---|
| committer | Morris Jobke <hey@morrisjobke.de> | 2018-11-27 11:54:25 +0100 |
| commit | 7b90e05507b2db44156d2bad233e475cd3467e2e (patch) | |
| tree | 2dd2c40209aaf0f71ced4f0f42484c2c3ca8cf10 /apps/updatenotification/src | |
| parent | e8886fb63ae86e1f67c06a8dd1d31be8a49c2151 (diff) | |
| download | nextcloud-server-7b90e05507b2db44156d2bad233e475cd3467e2e.tar.gz nextcloud-server-7b90e05507b2db44156d2bad233e475cd3467e2e.zip | |
Open the updater via a POST form submit instead of eval the JS code directly
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
Diffstat (limited to 'apps/updatenotification/src')
| -rw-r--r-- | apps/updatenotification/src/components/root.vue | 43 |
1 files changed, 15 insertions, 28 deletions
diff --git a/apps/updatenotification/src/components/root.vue b/apps/updatenotification/src/components/root.vue index 351fe947765..2ffae336130 100644 --- a/apps/updatenotification/src/components/root.vue +++ b/apps/updatenotification/src/components/root.vue @@ -251,34 +251,21 @@ clickUpdaterButton: function() { $.ajax({ url: OC.generateUrl('/apps/updatenotification/credentials') - }).success(function(data) { - $.ajax({ - url: OC.getRootPath()+'/updater/', - headers: { - 'X-Updater-Auth': data - }, - method: 'POST', - success: function(data){ - if(data !== 'false') { - var body = $('body'); - $('head').remove(); - body.html(data); - - // Eval the script elements in the response - var dom = $(data); - dom.filter('script').each(function() { - eval(this.text || this.textContent || this.innerHTML || ''); - }); - - body.removeAttr('id'); - body.attr('id', 'body-settings'); - } - }, - error: function() { - OC.Notification.showTemporary(t('updatenotification', 'Could not start updater, please try the manual update')); - this.updaterEnabled = false; - }.bind(this) - }); + }).success(function(token) { + // create a form to send a proper post request to the updater + var form = document.createElement('form'); + form.setAttribute('method', 'post'); + form.setAttribute('action', OC.getRootPath() + '/updater/'); + + var hiddenField = document.createElement('input'); + hiddenField.setAttribute('type', 'hidden'); + hiddenField.setAttribute('name', 'updater-secret-input'); + hiddenField.setAttribute('value', token); + + form.appendChild(hiddenField); + + document.body.appendChild(form); + form.submit(); }.bind(this)); }, changeReleaseChannel: function() { |