SECURITY: Don't send CSRF token in query string

The token is already present in the headers thanks to the csrf-token initializer.
2024-11-25 10:20:58 -06:00 · 2019-08-20 15:16:08 +01:00 · 2019-08-20 15:16:08 +01:00 · d59746cdc1
commit d59746cdc1
parent 75f37ac16a
2 changed files with 1 additions and 6 deletions
--- a/app/assets/javascripts/discourse/components/composer-editor.js.es6
+++ b/app/assets/javascripts/discourse/components/composer-editor.js.es6
@ -657,13 +657,10 @@ export default Ember.Component.extend({
    this._pasted = false;

    const $element = $(this.element);
-    const csrf = this.session.get("csrfToken");

    $element.fileupload({
      url: Discourse.getURL(
-        `/uploads.json?client_id=${
-          this.messageBus.clientId
-        }&authenticity_token=${encodeURIComponent(csrf)}`
+        `/uploads.json?client_id=${this.messageBus.clientId}`
      ),
      dataType: "json",
      pasteZone: $element
--- a/app/assets/javascripts/discourse/mixins/upload.js.es6
+++ b/app/assets/javascripts/discourse/mixins/upload.js.es6
@ -23,8 +23,6 @@ export default Ember.Mixin.create({
      getUrl(this.getWithDefault("uploadUrl", "/uploads")) +
      ".json?client_id=" +
      (this.messageBus && this.messageBus.clientId) +
-      "&authenticity_token=" +
-      encodeURIComponent(Discourse.Session.currentProp("csrfToken")) +
      this.uploadUrlParams
    );
  },