forked from midou/invidious
Check user_id as part of validating CSRF tokens
This commit is contained in:
parent
b9c29bf537
commit
1ff8579575
@ -1429,7 +1429,7 @@ post "/delete_account" do |env|
|
|||||||
token = env.params.body["token"]?
|
token = env.params.body["token"]?
|
||||||
|
|
||||||
begin
|
begin
|
||||||
validate_response(challenge, token, "delete_account", HMAC_KEY)
|
validate_response(challenge, token, user.email, "delete_account", HMAC_KEY)
|
||||||
rescue ex
|
rescue ex
|
||||||
error_message = ex.message
|
error_message = ex.message
|
||||||
next templated "error"
|
next templated "error"
|
||||||
@ -1474,7 +1474,7 @@ post "/clear_watch_history" do |env|
|
|||||||
token = env.params.body["token"]?
|
token = env.params.body["token"]?
|
||||||
|
|
||||||
begin
|
begin
|
||||||
validate_response(challenge, token, "clear_watch_history", HMAC_KEY)
|
validate_response(challenge, token, user.email, "clear_watch_history", HMAC_KEY)
|
||||||
rescue ex
|
rescue ex
|
||||||
error_message = ex.message
|
error_message = ex.message
|
||||||
next templated "error"
|
next templated "error"
|
||||||
|
@ -403,7 +403,7 @@ def create_response(user_id, operation, key)
|
|||||||
return challenge, token
|
return challenge, token
|
||||||
end
|
end
|
||||||
|
|
||||||
def validate_response(challenge, token, action, key)
|
def validate_response(challenge, token, user_id, operation, key)
|
||||||
if !challenge
|
if !challenge
|
||||||
raise "Hidden field \"challenge\" is a required field"
|
raise "Hidden field \"challenge\" is a required field"
|
||||||
end
|
end
|
||||||
@ -414,7 +414,7 @@ def validate_response(challenge, token, action, key)
|
|||||||
|
|
||||||
challenge = Base64.decode_string(challenge)
|
challenge = Base64.decode_string(challenge)
|
||||||
if challenge.split("-").size == 4
|
if challenge.split("-").size == 4
|
||||||
expire, nonce, user_id, operation = challenge.split("-")
|
expire, nonce, challenge_user_id, challenge_operation = challenge.split("-")
|
||||||
|
|
||||||
expire = expire.to_i?
|
expire = expire.to_i?
|
||||||
expire ||= 0
|
expire ||= 0
|
||||||
@ -429,7 +429,11 @@ def validate_response(challenge, token, action, key)
|
|||||||
raise "Invalid token"
|
raise "Invalid token"
|
||||||
end
|
end
|
||||||
|
|
||||||
if operation != action
|
if challenge_operation != operation
|
||||||
|
raise "Invalid token"
|
||||||
|
end
|
||||||
|
|
||||||
|
if challenge_user_id != user_id
|
||||||
raise "Invalid token"
|
raise "Invalid token"
|
||||||
end
|
end
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user