Merge pull request #22424 from owncloud/add-generic-csrf-protection-to-webdav

Require CSRF token for non WebDAV authenticated requests
author: Thomas Müller <thomas.mueller@tmit.eu> 2016-02-19 11:13:00 +0300
committer: Thomas Müller <thomas.mueller@tmit.eu> 2016-02-19 11:13:00 +0300
commit: f6e61a296f67f71a1c6d5d5bf8d7e891cd708b43 (patch)
tree: bb3e285215d32089fdba1d8b55c5495e1507ea50 /core
parent: 99051cdbe54c6efa131498f699c1d29642885c74 (diff)
parent: 9b3c4e8dc453a674c0f1aee8c60e9d7f24b34e49 (diff)
2 files changed, 6 insertions, 2 deletions
diff --git a/core/js/files/client.js b/core/js/files/client.js
index a7f393d325f..0bf5a69e19c 100644
--- a/core/js/files/client.js
+++ b/core/js/files/client.js
@@ -37,7 +37,10 @@
 		}
 
 		url += options.host + this._root;
-		this._defaultHeaders = options.defaultHeaders || {'X-Requested-With': 'XMLHttpRequest'};
+		this._defaultHeaders = options.defaultHeaders || {
+				'X-Requested-With': 'XMLHttpRequest',
+				'requesttoken': OC.requestToken
+			};
 		this._baseUrl = url;
 
 		var clientOptions = {
diff --git a/core/js/oc-backbone-webdav.js b/core/js/oc-backbone-webdav.js
index ba678a32fcf..1c1b5c71d81 100644
--- a/core/js/oc-backbone-webdav.js
+++ b/core/js/oc-backbone-webdav.js
@@ -240,7 +240,8 @@
 			return options.url;
 		};
 		var headers = _.extend({
-			'X-Requested-With': 'XMLHttpRequest'
+			'X-Requested-With': 'XMLHttpRequest',
+			'requesttoken': OC.requestToken
 		}, options.headers);
 		if (options.type === 'PROPFIND') {
 			return callPropFind(client, options, model, headers);
author	Thomas Müller <thomas.mueller@tmit.eu>	2016-02-19 11:13:00 +0300
committer	Thomas Müller <thomas.mueller@tmit.eu>	2016-02-19 11:13:00 +0300
commit	f6e61a296f67f71a1c6d5d5bf8d7e891cd708b43 (patch)
tree	bb3e285215d32089fdba1d8b55c5495e1507ea50 /core
parent	99051cdbe54c6efa131498f699c1d29642885c74 (diff)
parent	9b3c4e8dc453a674c0f1aee8c60e9d7f24b34e49 (diff)