vvanpo
11 במרץ, 2017, 4:28am
1
My JSON parser fails when retrieving certain errors, so far I’ve only expierenced it with “[‘BAD CSRF’]” being returned when using the /groups/{group_id}/members.json endpoint (as single-quotes for string delimiters is improper JSON). Quick search in github revealed the following:
if (args.returnXHR) {
data = { result: data, xhr: xhr };
}
Ember.run(null, resolve, data);
};
args.error = (xhr, textStatus, errorThrown) => {
// note: for bad CSRF we don't loop an extra request right away.
// this allows us to eliminate the possibility of having a loop.
if (xhr.status === 403 && xhr.responseText === "['BAD CSRF']") {
Discourse.Session.current().set('csrfToken', null);
}
// If it's a parsererror, don't reject
if (xhr.status === 200) return args.success(xhr);
// Fill in some extra info
xhr.jqTextStatus = textStatus;
xhr.requestedUrl = url;
protect_from_forgery
# Default Rails 3.2 lets the request through with a blank session
# we are being more pedantic here and nulling session / current_user
# and then raising a CSRF exception
def handle_unverified_request
# NOTE: API key is secret, having it invalidates the need for a CSRF token
unless is_api? || is_user_api?
super
clear_current_user
render text: "['BAD CSRF']", status: 403
end
end
before_filter :set_current_user_for_logs
before_filter :clear_notifications
before_filter :set_locale
before_filter :set_mobile_view
before_filter :inject_preview_style
before_filter :disable_customization
before_filter :block_if_readonly_mode
I imagine there might be some other areas with improper manually-formatted JSON as well.
2 לייקים
sam
13 במרץ, 2017, 1:42pm
2
Mind sending a PR through to fix both spots?
3 לייקים