MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

fix: [CSRF] Potential fix for the CSRF issues via tag/galaxy additions

pull/4734/head
iglocska 2019-06-07 14:44:39 +02:00
parent 25d8d6cf94
commit ab86fd658b
No known key found for this signature in database
GPG Key ID: BEA224F1FEF113AC
2 changed files with 137 additions and 138 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
app/Controller/AppController.php
View File

@ -46,7 +46,7 @@ class AppController extends Controller
public $helpers = array('Utility', 'OrgImg', 'FontAwesome');
private $__queryVersion = '71';
private $__queryVersion = '72';
public $pyMispVersion = '2.4.106';
public $phpmin = '7.0';
public $phprec = '7.2';

273
app/webroot/js/misp.js
View File

@ -604,105 +604,105 @@ function submitForm(type, id, field, context) {
function quickSubmitTagForm(selected_tag_ids, addData) {
var event_id = addData.id;
var formData = fetchFormDataAjax("/events/addTag/" + event_id);
$('#temp').html(formData);
$('#EventTag').val(JSON.stringify(selected_tag_ids));
$.ajax({
data: $('#EventAddTagForm').serialize(),
cache: false,
beforeSend: function (XMLHttpRequest) {
$(".loading").show();
},
success:function (data, textStatus) {
loadEventTags(event_id);
loadGalaxies(event_id, 'event');
handleGenericAjaxResponse(data);
},
error:function() {
showMessage('fail', 'Could not add tag.');
loadEventTags(event_id);
loadGalaxies(event_id, 'event');
},
complete:function() {
$('#temp').empty();
$("#popover_form").fadeOut();
$("#gray_out").fadeOut();
$(".loading").hide();
},
type:"post",
url:"/events/addTag/" + event_id
fetchFormDataAjax("/events/addTag/" + event_id, function(formData) {
$('#temp').html(formData);
$('#EventTag').val(JSON.stringify(selected_tag_ids));
$.ajax({
data: $('#EventAddTagForm').serialize(),
cache: false,
beforeSend: function (XMLHttpRequest) {
$(".loading").show();
},
success:function (data, textStatus) {
loadEventTags(event_id);
loadGalaxies(event_id, 'event');
handleGenericAjaxResponse(data);
},
error:function() {
showMessage('fail', 'Could not add tag.');
loadEventTags(event_id);
loadGalaxies(event_id, 'event');
},
complete:function() {
$('#temp').empty();
$("#popover_form").fadeOut();
$("#gray_out").fadeOut();
$(".loading").hide();
},
type:"post",
url:"/events/addTag/" + event_id
});
$('#temp').remove();
});
$('#temp').remove();
return false;
}
function quickSubmitAttributeTagForm(selected_tag_ids, addData) {
var attribute_id = addData.id;
var formData = fetchFormDataAjax("/attributes/addTag/" + attribute_id);
$('#temp').html(formData);
$('#AttributeTag').val(JSON.stringify(selected_tag_ids));
if (attribute_id == 'selected') {
$('#AttributeAttributeIds').val(getSelected());
}
$.ajax({
data: $('#AttributeAddTagForm').serialize(),
beforeSend: function (XMLHttpRequest) {
$(".loading").show();
},
success:function (data, textStatus) {
if (attribute_id == 'selected') {
updateIndex(0, 'event');
} else {
fetchFormDataAjax("/attributes/addTag/" + attribute_id, function(formData) {
$('#temp').html(formData);
$('#AttributeTag').val(JSON.stringify(selected_tag_ids));
if (attribute_id == 'selected') {
$('#AttributeAttributeIds').val(getSelected());
}
$.ajax({
data: $('#AttributeAddTagForm').serialize(),
beforeSend: function (XMLHttpRequest) {
$(".loading").show();
},
success:function (data, textStatus) {
if (attribute_id == 'selected') {
updateIndex(0, 'event');
} else {
loadAttributeTags(attribute_id);
loadGalaxies(attribute_id, 'attribute');
}
handleGenericAjaxResponse(data);
},
error:function() {
showMessage('fail', 'Could not add tag.');
loadAttributeTags(attribute_id);
loadGalaxies(attribute_id, 'attribute');
}
handleGenericAjaxResponse(data);
},
error:function() {
showMessage('fail', 'Could not add tag.');
loadAttributeTags(attribute_id);
loadGalaxies(attribute_id, 'attribute');
},
complete:function() {
$("#popover_form").fadeOut();
$("#gray_out").fadeOut();
$(".loading").hide();
},
type:"post",
url:"/attributes/addTag/" + attribute_id
},
complete:function() {
$("#popover_form").fadeOut();
$("#gray_out").fadeOut();
$(".loading").hide();
},
type:"post",
url:"/attributes/addTag/" + attribute_id
});
$('#temp').remove();
});
$('#temp').remove();
return false;
}
function quickSubmitTagCollectionTagForm(selected_tag_ids, addData) {
var tag_collection_id = addData.id;
var formData = fetchFormDataAjax("/tag_collections/addTag/" + tag_collection_id);
$('#temp').html(formData);
$('#TagCollectionTag').val(JSON.stringify(selected_tag_ids));
$.ajax({
data: $('#TagCollectionAddTagForm').serialize(),
beforeSend: function (XMLHttpRequest) {
$(".loading").show();
},
success:function (data, textStatus) {
handleGenericAjaxResponse(data);
refreshTagCollectionRow(tag_collection_id);
},
error:function() {
showMessage('fail', 'Could not add tag.');
loadTagCollectionTags(tag_collection_id);
},
complete:function() {
$("#popover_form").fadeOut();
$("#gray_out").fadeOut();
$(".loading").hide();
},
type:"post",
url:"/tag_collections/addTag/" + tag_collection_id
fetchFormDataAjax("/tag_collections/addTag/" + tag_collection_id, function(formData) {
$('#temp').html(formData);
$('#TagCollectionTag').val(JSON.stringify(selected_tag_ids));
$.ajax({
data: $('#TagCollectionAddTagForm').serialize(),
beforeSend: function (XMLHttpRequest) {
$(".loading").show();
},
success:function (data, textStatus) {
handleGenericAjaxResponse(data);
refreshTagCollectionRow(tag_collection_id);
},
error:function() {
showMessage('fail', 'Could not add tag.');
loadTagCollectionTags(tag_collection_id);
},
complete:function() {
$("#popover_form").fadeOut();
$("#gray_out").fadeOut();
$(".loading").hide();
},
type:"post",
url:"/tag_collections/addTag/" + tag_collection_id
});
$('#temp').remove();
});
$('#temp').remove();
return false;
}
function refreshTagCollectionRow(tag_collection_id) {
@ -3640,43 +3640,43 @@ function addGalaxyListener(id) {
function quickSubmitGalaxyForm(cluster_ids, additionalData) {
var target_id = additionalData['target_id'];
var scope = additionalData['target_type'];
var formData = fetchFormDataAjax("/galaxies/attachMultipleClusters/" + target_id + "/" + scope);
$('#temp').html(formData);
$('#temp #GalaxyTargetIds').val(JSON.stringify(cluster_ids));
if (target_id == 'selected') {
$('#AttributeAttributeIds, #GalaxyAttributeIds').val(getSelected());
}
$.ajax({
data: $('#GalaxyAttachMultipleClustersForm').serialize(),
beforeSend: function (XMLHttpRequest) {
$(".loading").show();
},
success:function (data, textStatus) {
if (target_id === 'selected') {
location.reload();
} else {
if (scope == 'tag_collection') {
fetchFormDataAjax("/galaxies/attachMultipleClusters/" + target_id + "/" + scope, function(formData) {
$('#temp').html(formData);
$('#temp #GalaxyTargetIds').val(JSON.stringify(cluster_ids));
if (target_id == 'selected') {
$('#AttributeAttributeIds, #GalaxyAttributeIds').val(getSelected());
}
$.ajax({
data: $('#GalaxyAttachMultipleClustersForm').serialize(),
beforeSend: function (XMLHttpRequest) {
$(".loading").show();
},
success:function (data, textStatus) {
if (target_id === 'selected') {
location.reload();
} else {
loadGalaxies(target_id, scope);
handleGenericAjaxResponse(data);
if (scope == 'tag_collection') {
location.reload();
} else {
loadGalaxies(target_id, scope);
handleGenericAjaxResponse(data);
}
}
}
},
error:function() {
showMessage('fail', 'Could not add cluster.');
loadGalaxies(target_id, scope);
},
complete:function() {
$("#popover_form").fadeOut();
$("#gray_out").fadeOut();
$(".loading").hide();
},
type:"post",
url: "/galaxies/attachMultipleClusters/" + target_id + "/" + scope
},
error:function() {
showMessage('fail', 'Could not add cluster.');
loadGalaxies(target_id, scope);
},
complete:function() {
$("#popover_form").fadeOut();
$("#gray_out").fadeOut();
$(".loading").hide();
},
type:"post",
url: "/galaxies/attachMultipleClusters/" + target_id + "/" + scope
});
$('#temp').remove();
});
$('#temp').remove();
return false;
}
function checkAndSetPublishedInfo(skip_reload) {
@ -4271,30 +4271,30 @@ function submit_feed_overlap_tool(feedId) {
function changeTaxonomyRequiredState(checkbox) {
var checkbox_state = $(checkbox).is(":checked");
var taxonomy_id = $(checkbox).data('taxonomy-id');
var formData = fetchFormDataAjax('/taxonomies/toggleRequired/' + taxonomy_id);
$.ajax({
data: $(formData).serialize(),
success:function (data, textStatus) {
handleGenericAjaxResponse({'saved':true, 'success':['Taxonomy\'s required state toggled.']});
},
error:function() {
$(checkbox).prop('checked', !$(checkbox).prop('checked'));
handleGenericAjaxResponse({'saved':false, 'errors':['Could not toggle the required state of the taxonomy.']});
},
async:"false",
type:"post",
cache: false,
url: '/taxonomies/toggleRequired/' + taxonomy_id,
fetchFormDataAjax('/taxonomies/toggleRequired/' + taxonomy_id, function(formData) {
$.ajax({
data: $(formData).serialize(),
success:function (data, textStatus) {
handleGenericAjaxResponse({'saved':true, 'success':['Taxonomy\'s required state toggled.']});
},
error:function() {
$(checkbox).prop('checked', !$(checkbox).prop('checked'));
handleGenericAjaxResponse({'saved':false, 'errors':['Could not toggle the required state of the taxonomy.']});
},
async:"false",
type:"post",
cache: false,
url: '/taxonomies/toggleRequired/' + taxonomy_id,
});
});
formData = false;
}
function fetchFormDataAjax(url) {
function fetchFormDataAjax(url, callback) {
var formData = false;
$.ajax({
data: '[]',
success:function (data, textStatus) {
formData = data;
callback(data);
},
error:function() {
handleGenericAjaxResponse({'saved':false, 'errors':['Request failed due to an unexpected error.']});
@ -4304,7 +4304,6 @@ function fetchFormDataAjax(url) {
cache: false,
url: url
});
return formData;
}
(function(){