mirror of https://github.com/MISP/MISP
fix: [security] Enforce usage of POST to start an export generation process
As reported by Andrei Agape / Teliacompanypull/9538/head
parent
9425c99894
commit
0ac2468c28
|
@ -154,6 +154,9 @@ class JobsController extends AppController
|
|||
if (Configure::read('MISP.disable_cached_exports')) {
|
||||
throw new MethodNotAllowedException('This feature is currently disabled');
|
||||
}
|
||||
if (!$this->request->is('post')) {
|
||||
throw new MethodNotAllowedException('This endpoint only accept POST.');
|
||||
}
|
||||
if ($this->_isSiteAdmin()) {
|
||||
$target = 'All events.';
|
||||
} else {
|
||||
|
|
|
@ -114,7 +114,7 @@
|
|||
'<td><span class="btn-group">%s%s</span></td>',
|
||||
($k === 'text') ? '' : $this->Html->link(__('Download'), array('action' => 'downloadExport', $k), array('class' => 'btn btn-inverse btn-small')),
|
||||
sprintf(
|
||||
'<button class="btn btn-inverse btn-small" id=button%s onClick="generate(\'%s\', \'%s\', \'%s\', \'%s\', \'%s\')" %s>%s</button>',
|
||||
'<button class="btn btn-inverse btn-small" id=button%s onClick="generate(\'%s\', \'%s\', \'%s\', \'%s\', \'%s\')" %s>%s</button><div class="hidden">%s</div>',
|
||||
$i,
|
||||
h($i),
|
||||
h($k),
|
||||
|
@ -122,7 +122,8 @@
|
|||
h($type['progress']),
|
||||
h($type['lastModified']),
|
||||
(!$type['recommendation']) ? 'disabled' : '',
|
||||
__('Generate')
|
||||
__('Generate'),
|
||||
$this->Form->postLink(__('Download'), array('controller' => 'jobs', 'action' => 'cache', h($k)), array('class' => 'btn btn-inverse btn-small')),
|
||||
)
|
||||
);
|
||||
} else {
|
||||
|
@ -174,8 +175,12 @@
|
|||
?>
|
||||
<script type="text/javascript">
|
||||
function generate(i, type, id, progress, modified) {
|
||||
var $clicked = $('#button'+i)
|
||||
var $form = $clicked.next().find('form')
|
||||
$.ajax({
|
||||
url: "<?php echo $baseurl; ?>/jobs/cache/" + type,
|
||||
url: $form.attr('action'),
|
||||
type:'post',
|
||||
data: $form.serialize()
|
||||
})
|
||||
.done(function(data) {
|
||||
jobsArray[i] = data;
|
||||
|
|
Loading…
Reference in New Issue