wbrawner/server
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

- eventsource.php: in case of potential CSRF attack we send an error message from the EventSource to the browser

Browse source 
- eventsource.js: handle undefined data on event
- update.js: in case of error we close the event source - advise the user to reload the page
- update.php: EventSource initialization is now done before we enter the maintenance mode in order to allow browser reload in case of possible CSRF attack
This commit is contained in:
Thomas Müller 2013-07-11 00:00:01 +02:00
parent d134ba9a82
commit d18bd17eb7
3 changed files with 14 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
core/js/eventsource.js
View file

@ -110,7 +110,11 @@ OC.EventSource.prototype={
this.listeners[type].push(callback); this.listeners[type].push(callback);
}else{ }else{
this.source.addEventListener(type,function(e){ this.source.addEventListener(type,function(e){
if (typeof e.data != 'undefined') {
callback(JSON.parse(e.data)); callback(JSON.parse(e.data));
} else {
callback('');
}
},false); },false);
} }
}else{ }else{

3
core/js/update.js
View file

@ -5,6 +5,9 @@ $(document).ready(function () {
}); });
updateEventSource.listen('error', function(message) { updateEventSource.listen('error', function(message) {
$('<span>').addClass('error').append(message).append('<br />').appendTo($('.update')); $('<span>').addClass('error').append(message).append('<br />').appendTo($('.update'));
message = 'Please reload the page.';
$('<span>').addClass('error').append(message).append('<br />').appendTo($('.update'));
updateEventSource.close();
}); });
updateEventSource.listen('failure', function(message) { updateEventSource.listen('failure', function(message) {
$('<span>').addClass('error').append(message).append('<br />').appendTo($('.update')); $('<span>').addClass('error').append(message).append('<br />').appendTo($('.update'));

9
lib/eventsource.php
View file

@ -25,7 +25,7 @@
* wrapper for server side events (http://en.wikipedia.org/wiki/Server-sent_events) * wrapper for server side events (http://en.wikipedia.org/wiki/Server-sent_events)
* includes a fallback for older browsers and IE * includes a fallback for older browsers and IE
* *
* use server side events with causion, to many open requests can hang the server * use server side events with caution, to many open requests can hang the server
*/ */
class OC_EventSource{ class OC_EventSource{
private $fallback; private $fallback;
@ -43,6 +43,7 @@ class OC_EventSource{
header("Content-Type: text/event-stream"); header("Content-Type: text/event-stream");
} }
if( !OC_Util::isCallRegistered()) { if( !OC_Util::isCallRegistered()) {
$this->send('error', 'Possible CSRF attack. Connection will be closed.');
exit(); exit();
} }
flush(); flush();
@ -51,10 +52,10 @@ class OC_EventSource{
/** /**
* send a message to the client * send a message to the client
* @param string type * @param string $type
* @param object data * @param object $data
* *
* if only one paramater is given, a typeless message will be send with that paramater as data * if only one parameter is given, a typeless message will be send with that parameter as data
*/ */
public function send($type, $data=null) { public function send($type, $data=null) {
if(is_null($data)) { if(is_null($data)) {