summaryrefslogtreecommitdiffstats
path: root/public/javascripts
diff options
context:
space:
mode:
authorJean-Philippe Lang <jp_lang@yahoo.fr>2011-03-14 21:31:02 +0000
committerJean-Philippe Lang <jp_lang@yahoo.fr>2011-03-14 21:31:02 +0000
commit36dbb3906b322b385575ff5d71768a092d4688cf (patch)
tree33f9dcb355de508cd575c8b4b58df92de81a506f /public/javascripts
parent6f5ffce7993923bf6568b1d756b7a101f7b75028 (diff)
downloadredmine-36dbb3906b322b385575ff5d71768a092d4688cf.tar.gz
redmine-36dbb3906b322b385575ff5d71768a092d4688cf.zip
Send the CSRF token with Ajax requests (#7843).
Contributed by Etienne Massip. git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@5134 e93f8b46-1217-0410-a6f0-8f06a7374b81
Diffstat (limited to 'public/javascripts')
-rw-r--r--public/javascripts/application.js22
1 files changed, 20 insertions, 2 deletions
diff --git a/public/javascripts/application.js b/public/javascripts/application.js
index a88856ea6..3996404bb 100644
--- a/public/javascripts/application.js
+++ b/public/javascripts/application.js
@@ -299,9 +299,27 @@ var WarnLeavingUnsaved = Class.create({
}
});
-/* shows and hides ajax indicator */
+/*
+ * 1 - registers a callback which copies the csrf token into the
+ * X-CSRF-Token header with each ajax request. Necessary to
+ * work with rails applications which have fixed
+ * CVE-2011-0447
+ * 2 - shows and hides ajax indicator
+ */
Ajax.Responders.register({
- onCreate: function(){
+ onCreate: function(request){
+ var csrf_meta_tag = $$('meta[name=csrf-token]')[0];
+
+ if (csrf_meta_tag) {
+ var header = 'X-CSRF-Token',
+ token = csrf_meta_tag.readAttribute('content');
+
+ if (!request.options.requestHeaders) {
+ request.options.requestHeaders = {};
+ }
+ request.options.requestHeaders[header] = token;
+ }
+
if ($('ajax-indicator') && Ajax.activeRequestCount > 0) {
Element.show('ajax-indicator');
}
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-27 18:19:22 +0000