CSRF protection (#44)

conf/ynh-vpnclient-loadcubefile.sh

@@ -96,7 +96,7 @@ fi
 
 # Upload cube file
 
-output=$(curl -kL -F "service_enabled=${ynh_service_enabled}" -F _method=put -F "cubefile=@${cubefile_path}" "https://${ynh_domain}/${ynh_path}/?/settings" --resolve "${ynh_domain}:443:127.0.0.1" -b "${tmpdir}/cookies" 2> /dev/null | grep RETURN_MSG | sed 's/<!-- RETURN_MSG -->//' | sed 's/<\/?[^>]\+>//g' | sed 's/^ \+//g')
+output=$(curl -kL -H "X-Requested-With: yunohost-config" -F "service_enabled=${ynh_service_enabled}" -F _method=put -F "cubefile=@${cubefile_path}" "https://${ynh_domain}/${ynh_path}/?/settings" --resolve "${ynh_domain}:443:127.0.0.1" -b "${tmpdir}/cookies" 2> /dev/null | grep RETURN_MSG | sed 's/<!-- RETURN_MSG -->//' | sed 's/<\/?[^>]\+>//g' | sed 's/^ \+//g')
 
 
 # Configure IPv6 Delegated Prefix on Hotspot

sources/controller.php

@@ -117,6 +117,11 @@ dispatch('/', function() {
 });
 
 dispatch_put('/settings', function() {
+
+  if(!isset($_SERVER['HTTP_X_REQUESTED_WITH'])) {
+    throw new Exception('CSRF protection');
+  }
+
   $service_enabled = isset($_POST['service_enabled']) ? 1 : 0;
 
   if($service_enabled == 1) {

sources/public/js/custom.js

@@ -28,7 +28,7 @@ function tabsClick() {
   return false;
 }
 
-$(document).ready(function() {
+function ready() {
   $('.btn-group').button();
   $('[data-toggle="tooltip"]').tooltip();
 
@@ -73,11 +73,31 @@ $(document).ready(function() {
     $(choosertxtid).val($(this).val().replace(/^.*[\/\\]/, ''));
   });
 
-  $('#save').click(function() {
-    $(this).prop('disabled', true);
+  $('#form').on("submit", function(event) {
+    event.preventDefault()
+    $('#save').prop('disabled', true);
     $('#save-loading').show();
-    $('#form').submit();
-  });
+    $.ajax({
+        url: this.action,
+        type: this.method,
+        contentType: false,
+        processData: false,
+        cache: false,
+        data: new FormData(this),
+        headers: {
+          'X-Requested-With': 'jQuery',
+        },
+        dataType: "html",
+        success: function(data){
+          document.body.innerHTML = new DOMParser().parseFromString(data, "text/html").body.innerHTML
+          ready()
+        },
+        error: function() {
+          $('#save').prop('disabled', false);
+          $('#save-loading').hide();
+        },
+    });
+  })
 
   $('#status .close').click(function() {
     $(this).parent().hide();
@@ -110,4 +130,6 @@ $(document).ready(function() {
       $('.enabled').show('slow');
     }
   });
-});
+}
+
+$(document).ready(ready)