csrf, don't try to pass tokenkey, ref :...

csrf, don't try to pass tokenkey, ref : https://github.com/phalcon/cphalcon/blob/v3.0.3/phalcon/security.zep#L377

csrf, don't try to pass tokenkey, ref :...
csrf, don't try to pass tokenkey, ref : https://github.com/phalcon/cphalcon/blob/v3.0.3/phalcon/security.zep#L377
f5ef2379 · Ad Schellevis · 9eeca340 · f5ef2379 · f5ef2379
Commit f5ef2379 authored Jan 20, 2017 by Ad Schellevis
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 4 deletions

ApiControllerBase.php ...e/mvc/app/controllers/OPNsense/Base/ApiControllerBase.php +2 -3

default.volt src/opnsense/mvc/app/views/layouts/default.volt +0 -1

No files found.
--- a/src/opnsense/mvc/app/controllers/OPNsense/Base/ApiControllerBase.php
+++ b/src/opnsense/mvc/app/controllers/OPNsense/Base/ApiControllerBase.php
@@ -175,9 +175,8 @@ class ApiControllerBase extends ControllerRoot
            }
            // check for valid csrf on post requests
-            $csrf_tokenkey = $this->request->getHeader('X_CSRFTOKENKEY');
+            $csrf_token = $this->request->getHeader('X_CSRFTOKEN');
-            $csrf_token =   $this->request->getHeader('X_CSRFTOKEN');
+            $csrf_valid = $this->security->checkToken(null, $csrf_token, false);
-            $csrf_valid = $this->security->checkToken($csrf_tokenkey, $csrf_token, false);
            if (($this->request->isPost() ||
                    $this->request->isPut() ||

--- a/src/opnsense/mvc/app/views/layouts/default.volt
+++ b/src/opnsense/mvc/app/views/layouts/default.volt
@@ -51,7 +51,6 @@
                $.ajaxSetup({
                    'beforeSend': function(xhr) {
                        xhr.setRequestHeader("X-CSRFToken", "{{ csrf_token }}" );
-                        xhr.setRequestHeader("X-CSRFTokenKey", "{{ csrf_tokenKey }}" );
                    }
                });
                // propagate ajax error messages