Add CSRF to the upload #4

New Issue

BlakeRain · 2023-10-18T02:08:10Z

BlakeRain commented

2023-10-18 02:08:10 +00:00

Currently the multipart upload code doesn't implement the CSRF check. There's a few things to consider here:

Can we ensure that the CSRF token is the first field in the multipart form? How does the XMLHttpRequest order the fields?
If they can be ordered then we can make sure that the CSRF has been seen (and validated) before we start processing the upload; and terminate the request if not.
If we cannot control the order, then we'll have to go through the entire upload before we can validate the CSRF? Seems a bit lame.

Currently the multipart upload code doesn't implement the CSRF check. There's a few things to consider here: 1. Can we ensure that the CSRF token is the first field in the multipart form? How does the `XMLHttpRequest` order the fields? 2. If they can be ordered then we can make sure that the CSRF has been seen (and validated) before we start processing the upload; and terminate the request if not. 3. If we cannot control the order, then we'll have to go through the entire upload before we can validate the CSRF? Seems a bit lame.

BlakeRain added this to the v2.0.0 milestone 2023-10-18 02:08:10 +00:00

BlakeRain added the

bug

label 2023-10-18 02:08:10 +00:00

BlakeRain self-assigned this 2024-08-07 13:52:49 +00:00

BlakeRain referenced this issue

2024-08-07 13:53:10 +00:00

Add new upload modal #9

BlakeRain commented

2024-08-08 09:51:34 +00:00

This has been added.

BlakeRain closed this issue