csrf-magic
csrf-magic copied to clipboard
ezyang
Problem with jquery-file-upload and csrf-magic
I am having a problem combining csrf-magic and jquery-file-upload by blueimp. When trying to send the files (i.e. send the upload form), the csrf-magic.js prepends the data with it's token. Result is an invalid post:
__csrf_magic=sid:d0a151fd235a4f1302269149a01afe55a45db3de,1432143876&[object FormData]
The server side script now gets nothing as the query string is invalid.
Any ideas?
Seems I was able to fix this by extending the process method like so:
CsrfMagic.process = function(base) {
if(typeof base == 'object') {
base[csrfMagicName] = csrfMagicToken;
return base;
}
var prepend = csrfMagicName + '=' + csrfMagicToken;
if (base) return prepend + '&' + base;
return prepend;
}
Will have to test this a little more.
hi, Will you be please be precise about it. Sameer
On 5/21/15, Bianka Martinovic [email protected] wrote:
Seems I was able to fix this by extending the process method like so:
CsrfMagic.process = function(base) { if(typeof base == 'object') { base[csrfMagicName] = csrfMagicToken; return base; } var prepend = csrfMagicName + '=' + csrfMagicToken; if (base) return prepend + '&' + base; return prepend; }
Will have to test this a little more.
Reply to this email directly or view it on GitHub: https://github.com/ezyang/csrf-magic/issues/6#issuecomment-104253341
i meant will you tell me the steps to reproduce for my php based website. Actually on not finding any solution i left but again i would like to work it out
On 5/21/15, Bianka Martinovic [email protected] wrote:
Uhm, what do you mean?
Reply to this email directly or view it on GitHub: https://github.com/ezyang/csrf-magic/issues/6#issuecomment-104352139
In my case, the jQuery plugin sends an object instead of a string. When csrf-magic prepends the form data with the token, result is
__csrf_magic=sid:d0a151fd235a4f1302269149a01afe55a45db3de,1432143876&[object FormData]
The part before the & is the token string, the part after would be an object, but now it's cast to a string. The result is an invalid query string, so no data is posted to the PHP script on the server side.
To find this, I used Firebug to see what is sent to the server (console window).
After adding the patch shown above all works fine for me.
I also ran into this issue and used the same fix, but I had to add it in the CsrfMagic.prototype.send() method as well. You could call the process() method, in order to avoid duplicate code.
send: function(data) {
if (!this.csrf_isPost) return this.csrf_send(data);
prepend = csrfMagicName + '=' + csrfMagicToken + '&';
if (this.csrf_purportedLength === undefined) {
this.csrf_setRequestHeader("Content-length", this.csrf_purportedLength + prepend.length);
delete this.csrf_purportedLength;
}
delete this.csrf_isPost;
// Fix to work with FormData objects.
if (typeof data == 'object') {
data[csrfMagicName] = csrfMagicToken;
return this.csrf_send(data);
}
return this.csrf_send(prepend + data);
},
