Committing the event simulator file configuration csrf fix

wso2 · Jul 9, 2016 · d523aa1 · d523aa1
1 parent 9e289ab
commit d523aa1
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 1 deletion.
diff --git a/...ulator/org.wso2.carbon.event.simulator.ui/src/main/resources/web/eventsimulator/index.jsp b/...ulator/org.wso2.carbon.event.simulator.ui/src/main/resources/web/eventsimulator/index.jsp
@@ -21,6 +21,7 @@
 
 <%@ taglib uri="http://wso2.org/projects/carbon/taglibs/carbontags.jar" prefix="carbon" %>
 <%@ taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt" %>
+<%@ taglib uri="http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project/Owasp.CsrfGuard.tld" prefix="csrf" %>
 
 <script type="text/javascript" src="../ajax/js/prototype.js"></script>
 <script type="text/javascript" src="../admin/js/breadcrumbs.js"></script>
@@ -199,7 +200,7 @@
 
 
 <div id="fileArea">
-    <form name="csvFileForm" id="csvFileForm" method="post" action="../../fileupload/csv" enctype="multipart/form-data"
+    <form name="csvFileForm" id="csvFileForm" method="post" action="../../fileupload/csv?<csrf:tokenname/>=<csrf:tokenvalue/>" enctype="multipart/form-data"
           target="_self">
 
         <table class="styledLeft">

diff --git a/...arbon.event.simulator.ui/src/main/resources/web/eventsimulator/js/stream_configuration.js b/...arbon.event.simulator.ui/src/main/resources/web/eventsimulator/js/stream_configuration.js
@@ -113,9 +113,23 @@ function sendConfiguration(form){
     var jsonString="{\"FileName\":\""+fileName+"\",\"streamID\":\""+streamName+"\",\"seperateChar\":\""+seperateChar+"\"" +
         ",\"delayBetweenEventsInMilies\":"+delayBetweenEventsInMilies+"}";
 
+    var xhr = window.XMLHttpRequest ? new window.XMLHttpRequest : new window.ActiveXObject("Microsoft.XMLHTTP");
+    xhr.open("POST", "/carbon/admin/js/csrfPrevention.js", false);
+    xhr.setRequestHeader("FETCH-CSRF-TOKEN", "1");
+    xhr.send(null);
+
+    var token_pair = xhr.responseText;
+    token_pair = token_pair.split(":");
+    var token_name = token_pair[0];
+    var token_value = token_pair[1];
+
     jQuery.ajax({
         type: "POST",
         url: "../eventsimulator/sendConfigValues_ajaxprocessor.jsp?jsonData=" + jsonString + "",
+        beforeSend: function(xhr){xhr.setRequestHeader(token_name, token_value);},
+        data: {},
+        contentType: "application/json; charset=utf-8",
+        dataType: "text",
         async: false,
 
         success:function(msg){