FHEM/fhem-mirror
2
0
Fork 0
mirror of https://github.com/fhem/fhem-mirror.git synced 2025-01-31 12:49:34 +00:00
Code Issues Releases Wiki Activity

01_FHEMWEB.pm: csrfToken adjustments (Forum #67372)

Browse Source 
git-svn-id: https://svn.fhem.de/fhem/trunk@13556 2b470e98-0d58-463d-a4d8-8e2adae1ed80
This commit is contained in:
rudolfkoenig 2017-03-01 08:54:12 +00:00
parent 6b8316b4cf
commit cc2ce09b7c
2 changed files with 14 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
fhem/FHEM/01_FHEMWEB.pm
View File

@ -279,7 +279,7 @@ FW_Define($$)
InternalTimer(1, sub(){
if($featurelevel >= 5.8 && !AttrVal($name, "csrfToken", undef)) {
my ($x,$y) = gettimeofday();
$hash->{CSRFTOKEN} = "fhem_".(rand($y)*rand($x));
($defs{WEB}{CSRFTOKEN} = "csrf_".(rand($y)*rand($x))) =~s/[^a-z_0-9]//g;
$FW_csrfTokenCache{$name} = $hash->{CSRFTOKEN};
}
}, $hash, 0);
@ -425,7 +425,7 @@ FW_Read($$)
"Access-Control-Max-Age:86400\r\n".
"Access-Control-Expose-Headers: X-FHEM-csrfToken\r\n": "");
$FW_headerlines .= "X-FHEM-csrfToken: $defs{$FW_wname}{CSRFTOKEN}\r\n"
if($defs{$FW_wname}{CSRFTOKEN});
if(defined($defs{$FW_wname}{CSRFTOKEN}));
#########################
# Return 200 for OPTIONS or 405 for unsupported method
@ -720,7 +720,7 @@ FW_answerCall($)
$FW_RET = "";
$FW_RETTYPE = "text/html; charset=$FW_encoding";
$FW_CSRF = ($defs{$FW_wname}{CSRFTOKEN} ?
$FW_CSRF = (defined($defs{$FW_wname}{CSRFTOKEN}) ?
"&fwcsrf=".$defs{$FW_wname}{CSRFTOKEN} : "");
$MW_dir = "$attr{global}{modpath}/FHEM";
@ -812,7 +812,7 @@ FW_answerCall($)
$FW_tp ? "640,160" : "800,160");
my ($cmd, $cmddev) = FW_digestCgi($arg);
if($cmd && $FW_CSRF) {
my $supplied = $FW_webArgs{fwcsrf} ? $FW_webArgs{fwcsrf} : "";
my $supplied = defined($FW_webArgs{fwcsrf}) ? $FW_webArgs{fwcsrf} : "";
my $want = $defs{$FW_wname}{CSRFTOKEN};
if($supplied ne $want) {
Log3 $FW_wname, 3, "FHEMWEB $FW_wname CSRF error: $supplied ne $want. ".
@ -2500,7 +2500,7 @@ FW_Attr(@)
my $csrf = $param[0];
if($csrf eq "random") {
my ($x,$y) = gettimeofday();
$csrf = rand($y)*rand($x);
($csrf = "csrf_".(rand($y)*rand($x))) =~ s/[^a-z_0-9]//g;
}
if($csrf eq "none") {

14
fhem/www/pgm2/fhemweb.js
View File

@ -8,7 +8,7 @@ var FW_serverLastMsg = FW_serverFirstMsg;
var FW_isIE = (navigator.appVersion.indexOf("MSIE") > 0);
var FW_isiOS = navigator.userAgent.match(/(iPad|iPhone|iPod)/);
var FW_scripts = {}, FW_links = {};
var FW_docReady = false, FW_longpollType, FW_csrfToken;
var FW_docReady = false, FW_longpollType, FW_csrfToken, FW_csrfOk=true;
var FW_root = "/fhem"; // root
var embedLoadRetry = 100;
@ -367,9 +367,9 @@ log(txt)
function
addcsrf(arg)
{
if(FW_csrfToken) {
if(typeof FW_csrfToken != "undefined") {
arg = arg.replace(/&fwcsrf=[^&]*/,'');
arg += '&fwcsrf='+FW_csrfToken;
arg += '&fwcsrf='+encodeURIComponent(FW_csrfToken);
}
return arg;
}
@ -377,11 +377,14 @@ addcsrf(arg)
function
FW_csrfRefresh(callback)
{
log("FW_csrfRefresh");
log("FW_csrfRefresh, last was "+(FW_csrfOk ? "ok":"bad"));
if(!FW_csrfOk) // avoid endless loop
return;
$.ajax({
url:location.pathname+"?XHR=1",
success: function(data, textStatus, request){
FW_csrfToken = request.getResponseHeader('x-fhem-csrftoken');
FW_csrfOk = false;
if(callback)
callback();
}
@ -396,13 +399,14 @@ FW_cmd(arg, callback)
url:addcsrf(arg)+'&fw_id='+$("body").attr('fw_id'),
method:'POST',
success: function(data, textStatus, req){
FW_csrfOk = true;
if(callback)
callback(req.responseText);
else if(req.responseText)
FW_errmsg(req.responseText, 5000);
},
error:function(xhr, status, err) {
if(xhr.status == 401 && FW_csrfToken) {
if(xhr.status == 401 && typeof FW_csrfToken != "undefined") {
FW_csrfToken = "";
FW_csrfRefresh(function(){FW_cmd(arg, callback)});
}