fixes csrf with mediauploader.ashx

2014-05-22 12:44:04 +10:00
parent f325794523
commit 62887607ff
3 changed files with 29 additions and 4 deletions
--- a/src/Umbraco.Web.UI/umbraco_client/FolderBrowser/Js/folderbrowser.js
+++ b/src/Umbraco.Web.UI/umbraco_client/FolderBrowser/Js/folderbrowser.js
@@ -180,6 +180,7 @@ Umbraco.Sys.registerNamespace("Umbraco.Controls");
                instructions +
                "<form action=\"" + self._opts.umbracoPath + "/webservices/MediaUploader.ashx?format=json&action=upload&parentNodeId=" + this._parentId + "\" method=\"post\" enctype=\"multipart/form-data\">" +
                "<input id='fileupload' type='file' name='file' multiple>" +
+                "<input type='hidden' name='__reqver' value='" + self._opts.reqver + "' />" +
                "<input type='hidden' name='name' />" +
                "<input type='hidden' name='replaceExisting' />" +
                "</form>" +
--- a/src/Umbraco.Web/UI/Controls/FolderBrowser.cs
+++ b/src/Umbraco.Web/UI/Controls/FolderBrowser.cs
@@ -4,6 +4,7 @@ using System.Text;
 using System.Web.UI;
 using System.Web.UI.WebControls;
 using ClientDependency.Core;
+using Umbraco.Core;
 using Umbraco.Web.UI.Bundles;
 using umbraco.BasePages;
 using Umbraco.Core.IO;
@@ -138,10 +139,11 @@ namespace Umbraco.Web.UI.Controls

            Page.ClientScript.RegisterStartupScript(typeof(FolderBrowser),
                "RegisterFolderBrowsers",
-                string.Format("$(function () {{ $(\".umbFolderBrowser\").folderBrowser({{ umbracoPath : '{0}', basePath : '{1}' }}); " +
+                string.Format("$(function () {{ $(\".umbFolderBrowser\").folderBrowser({{ umbracoPath : '{0}', basePath : '{1}', reqver : '{2}' }}); " +
                 "$(\".umbFolderBrowser #filterTerm\").keypress(function(event) {{ return event.keyCode != 13; }});}});",
                IOHelper.ResolveUrl(SystemDirectories.Umbraco),
-                IOHelper.ResolveUrl(SystemDirectories.Base)),
+                IOHelper.ResolveUrl(SystemDirectories.Base),
+                UmbracoEnsuredPage.umbracoUserContextID.EncryptWithMachineKey() ),
                true);
        }

--- a/src/Umbraco.Web/umbraco.presentation/umbraco/webservices/MediaUploader.ashx.cs
+++ b/src/Umbraco.Web/umbraco.presentation/umbraco/webservices/MediaUploader.ashx.cs
@@ -256,10 +256,32 @@ namespace umbraco.presentation.umbraco.webservices
            else
            {
                var usr = User.GetCurrent();
+                
                if (BasePage.ValidateUserContextID(BasePage.umbracoUserContextID) && usr != null)
                {
-                    isValid = true;
-                    AuthenticatedUser = usr;    
+                    //The user is valid based on their cookies, but is the request valid? We need to validate
+                    // against CSRF here. We'll do this by ensuring that the request contains a token which will
+                    // be equal to the decrypted version of the current user's user context id.
+                    var token = context.Request["__reqver"];
+                    if (token.IsNullOrWhiteSpace() == false)
+                    {
+                        //try decrypting it
+                        try
+                        {
+                            var decrypted = token.DecryptWithMachineKey();
+                            //now check if it matches
+                            if (decrypted == BasePage.umbracoUserContextID)
+                            {
+                                isValid = true;
+                                AuthenticatedUser = usr;
+                            }
+                        }
+                        catch
+                        {
+                           //couldn't decrypt, so it's invalid
+                        }
+                        
+                    }
                }
            }