(mvc) csrf protection, not very likely to hit in normal situations, but when...

(mvc) csrf protection, not very likely to hit in normal situations, but when using legacy free applications, there might not be a csrf token leading to a denial of all requests. (cherry picked from commit 29e3bb3e)

(mvc) csrf protection, not very likely to hit in normal situations, but when...
(mvc) csrf protection, not very likely to hit in normal situations, but when using legacy free applications, there might not be a csrf token leading to a denial of all requests. (cherry picked from commit 29e3bb3e)
ea9b53f9 · Ad Schellevis · Franco Fichtner · 8ec53e30 · ea9b53f9
Commit ea9b53f9 authored Feb 28, 2017 by Ad Schellevis Committed by Franco Fichtner Mar 17, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 0 deletions

ControllerBase.php ...ense/mvc/app/controllers/OPNsense/Base/ControllerBase.php +5 -0

No files found.
--- a/src/opnsense/mvc/app/controllers/OPNsense/Base/ControllerBase.php
+++ b/src/opnsense/mvc/app/controllers/OPNsense/Base/ControllerBase.php
@@ -197,6 +197,11 @@ class ControllerBase extends ControllerRoot
        // include csrf for volt view rendering.
        $csrf_token = $this->session->get('$PHALCON/CSRF$');
        $csrf_tokenKey = $this->session->get('$PHALCON/CSRF/KEY$');
+        if (empty($csrf_token) || empty($csrf_tokenKey)) {
+            // when there's no token in our session, request a new one
+            $csrf_token = $this->security->getToken();
+            $csrf_tokenKey = $this->security->getTokenKey();
+        }
        $this->view->setVars(['csrf_tokenKey' => $csrf_tokenKey,'csrf_token' => $csrf_token]);

        // link menu system to view, append /ui in uri because of rewrite