From f5ef237970da8c040ad22cd00fcc99027a64eeca Mon Sep 17 00:00:00 2001 From: Ad Schellevis Date: Fri, 20 Jan 2017 11:05:08 +0100 Subject: [PATCH] csrf, don't try to pass tokenkey, ref : https://github.com/phalcon/cphalcon/blob/v3.0.3/phalcon/security.zep#L377 --- .../mvc/app/controllers/OPNsense/Base/ApiControllerBase.php | 5 ++--- src/opnsense/mvc/app/views/layouts/default.volt | 1 - 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/src/opnsense/mvc/app/controllers/OPNsense/Base/ApiControllerBase.php b/src/opnsense/mvc/app/controllers/OPNsense/Base/ApiControllerBase.php index 76bb66ed6..a4e4dca49 100644 --- a/src/opnsense/mvc/app/controllers/OPNsense/Base/ApiControllerBase.php +++ b/src/opnsense/mvc/app/controllers/OPNsense/Base/ApiControllerBase.php @@ -175,9 +175,8 @@ class ApiControllerBase extends ControllerRoot } // check for valid csrf on post requests - $csrf_tokenkey = $this->request->getHeader('X_CSRFTOKENKEY'); - $csrf_token = $this->request->getHeader('X_CSRFTOKEN'); - $csrf_valid = $this->security->checkToken($csrf_tokenkey, $csrf_token, false); + $csrf_token = $this->request->getHeader('X_CSRFTOKEN'); + $csrf_valid = $this->security->checkToken(null, $csrf_token, false); if (($this->request->isPost() || $this->request->isPut() || diff --git a/src/opnsense/mvc/app/views/layouts/default.volt b/src/opnsense/mvc/app/views/layouts/default.volt index e10d7113f..f69d97bc9 100644 --- a/src/opnsense/mvc/app/views/layouts/default.volt +++ b/src/opnsense/mvc/app/views/layouts/default.volt @@ -51,7 +51,6 @@ $.ajaxSetup({ 'beforeSend': function(xhr) { xhr.setRequestHeader("X-CSRFToken", "{{ csrf_token }}" ); - xhr.setRequestHeader("X-CSRFTokenKey", "{{ csrf_tokenKey }}" ); } }); // propagate ajax error messages