From 7b90e05507b2db44156d2bad233e475cd3467e2e Mon Sep 17 00:00:00 2001
From: Morris Jobke <hey@morrisjobke.de>
Date: Tue, 27 Nov 2018 10:32:48 +0100
Subject: Open the updater via a POST form submit instead of eval the JS code
 directly

Signed-off-by: Morris Jobke <hey@morrisjobke.de>
---
 apps/updatenotification/src/components/root.vue | 43 +++++++++----------------
 1 file changed, 15 insertions(+), 28 deletions(-)

(limited to 'apps/updatenotification/src')

diff --git a/apps/updatenotification/src/components/root.vue b/apps/updatenotification/src/components/root.vue
index 351fe947765..2ffae336130 100644
--- a/apps/updatenotification/src/components/root.vue
+++ b/apps/updatenotification/src/components/root.vue
@@ -251,34 +251,21 @@
 			clickUpdaterButton: function() {
 				$.ajax({
 					url: OC.generateUrl('/apps/updatenotification/credentials')
-				}).success(function(data) {
-					$.ajax({
-						url: OC.getRootPath()+'/updater/',
-						headers: {
-							'X-Updater-Auth': data
-						},
-						method: 'POST',
-						success: function(data){
-							if(data !== 'false') {
-								var body = $('body');
-								$('head').remove();
-								body.html(data);
-
-								// Eval the script elements in the response
-								var dom = $(data);
-								dom.filter('script').each(function() {
-									eval(this.text || this.textContent || this.innerHTML || '');
-								});
-
-								body.removeAttr('id');
-								body.attr('id', 'body-settings');
-							}
-						},
-						error: function() {
-							OC.Notification.showTemporary(t('updatenotification', 'Could not start updater, please try the manual update'));
-							this.updaterEnabled = false;
-						}.bind(this)
-					});
+				}).success(function(token) {
+					// create a form to send a proper post request to the updater
+					var form = document.createElement('form');
+					form.setAttribute('method', 'post');
+					form.setAttribute('action', OC.getRootPath() + '/updater/');
+
+					var hiddenField = document.createElement('input');
+					hiddenField.setAttribute('type', 'hidden');
+					hiddenField.setAttribute('name', 'updater-secret-input');
+					hiddenField.setAttribute('value', token);
+
+					form.appendChild(hiddenField);
+
+					document.body.appendChild(form);
+					form.submit();
 				}.bind(this));
 			},
 			changeReleaseChannel: function() {
-- 
cgit v1.2.3