Merge pull request #47445 from nextcloud/backport/44369/stable28

[stable28] fix: csrf check failed on public share with password

Author: blizzz

core/src/main.js

@@ -36,6 +36,8 @@ import './jquery/index.js'
 import { initCore } from './init.js'
 import { registerAppsSlideToggle } from './OC/apps.js'
 import { getRequestToken } from '@nextcloud/auth'
+import { generateUrl } from '@nextcloud/router'
+import Axios from '@nextcloud/axios'
 
 // eslint-disable-next-line camelcase
 __webpack_nonce__ = btoa(getRequestToken())
@@ -51,3 +53,20 @@ window.addEventListener('DOMContentLoaded', function() {
 		window.onhashchange = _.bind(OC.Util.History._onPopState, OC.Util.History)
 	}
 })
+
+// Fix error "CSRF check failed"
+document.addEventListener('DOMContentLoaded', function() {
+	const form = document.getElementById('password-input-form')
+	if (form) {
+		form.addEventListener('submit', async function(event) {
+			event.preventDefault()
+			const requestToken = document.getElementById('requesttoken')
+			if (requestToken) {
+				const url = generateUrl('/csrftoken')
+				const resp = await Axios.get(url)
+				requestToken.value = resp.data.token
+			}
+			form.submit()
+		})
+	}
+})

core/templates/publicshareauth.php

@@ -22,7 +22,7 @@
 			<?php endif; ?>
 			<p>
 				<label for="password" class="infield"><?php p($l->t('Password')); ?></label>
-				<input type="hidden" name="requesttoken" value="<?php p($_['requesttoken']) ?>" />
+				<input type="hidden" id="requesttoken" name="requesttoken" value="<?php p($_['requesttoken']) ?>" />
 				<input type="password" name="password" id="password"
 					placeholder="<?php p($l->t('Password')); ?>" value=""
 					autocomplete="new-password" autocapitalize="off" spellcheck="false"
@@ -34,7 +34,7 @@ class="svg icon-confirm input-button-inline" value="" disabled="disabled" />
 			</p>
 		</fieldset>
 	</form>
-	
+
 	<!-- email prompt form. It should initially be hidden -->
 	<?php if (isset($_['identityOk'])): ?>
 		<form method="post" id="email-input-form">
@@ -46,7 +46,7 @@ class="svg icon-confirm input-button-inline" value="" disabled="disabled" />
 			 <p>
 				<input type="email" id="email" name="identityToken" placeholder="<?php p($l->t('Email address')); ?>" />
 				<input type="submit" id="password-request" name="passwordRequest" class="svg icon-confirm input-button-inline" value="" disabled="disabled"/>
-				<input type="hidden" name="requesttoken" value="<?php p($_['requesttoken']) ?>" />
+				<input type="hidden" id="requesttoken" name="requesttoken" value="<?php p($_['requesttoken']) ?>" />
 				<input type="hidden" name="sharingToken" value="<?php p($_['share']->getToken()) ?>" id="sharingToken">
 				<input type="hidden" name="sharingType" value="<?php p($_['share']->getShareType()) ?>" id="sharingType">
 			</p>
@@ -59,12 +59,12 @@ class="svg icon-confirm input-button-inline" value="" disabled="disabled" />
 			<?php endif; ?>
 		</fieldset>
 	</form>
-	
+
 	<!-- request password button -->
 	<?php if (!isset($_['identityOk']) && $_['share']->getShareType() === $_['share']::TYPE_EMAIL && !$_['share']->getSendPasswordByTalk()): ?>
 		<a id="request-password-button-not-talk"><?php p($l->t('Forgot password?')); ?></a>
 	<?php endif; ?>
-	
+
 	<!-- back to showShare button -->
 	<form method="get">
 		<fieldset>