Details
-
Bug
-
Resolution: Fixed
-
Low
-
2.12.0
-
None
Description
Stash, as 2.12, will allows users to upload local avatars to their account (STASHDEV-6182).
That upload is submitted to a (non-API) end point that accepts a POST request with the avatar as data-uri.
Currently, because the form is submitted by AJAX, the end point is annotated with @IgnoresXsrf, as the front-end doesn't have a security token to submit along with the request. See UserProfileController.uploadAvatar for the source.
The two alternatives to fix this (and remove the annotation) are:
- submit the data as JSON instead of form-urlencoded,
- get hold of a security token/value in the page and submit it as part of the AJAX request.
Attachments
Issue Links
- is related to
-
BSERV-5336 TemporaryAvatarController.save is vulnerable to CSRF/XSRF
- Closed