Skip to content
This repository has been archived by the owner on Jan 12, 2022. It is now read-only.

Commit

Permalink
send csrf token with file upload requests
Browse files Browse the repository at this point in the history
  • Loading branch information
@seanmonstar
seanmonstar committed Mar 22, 2011
1 parent 59c3540 commit 24dc739
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions media/lib/sendFile.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,7 @@ sendFile = (function(toString, maxSize){
xhr.setRequestHeader("If-Modified-Since", "Mon, 26 Jul 1997 05:00:00 GMT");
xhr.setRequestHeader("Cache-Control", "no-cache");
xhr.setRequestHeader("X-Requested-With", "XMLHttpRequest");
xhr.setRequestHeader("X-CSRFToken", Cookie.read('csrftoken'));
xhr.setRequestHeader("X-File-Name", handler.file.fileName);
xhr.setRequestHeader("X-File-Size", handler.file.fileSize);
xhr.setRequestHeader("Content-Type", "multipart/form-data");
Expand Down

1 comment on commit 24dc739

@seanmonstar
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually, this doesn't quite fix it, since the csrf middleware in Django checks POST before checking the META. Since we use the raw post data, the middleware errors when accessing POST as a QueryDict.

request_csrf_token = request.POST.get('csrfmiddlewaretoken', "")
if request_csrf_token == "":
    # Fall back to X-CSRFToken, to make things easier for AJAX
    request_csrf_token = request.META.get('HTTP_X_CSRFTOKEN', '')

from https://github.com/django/django/blob/1.2.5/django/middleware/csrf.py#L164

@zalun it seems our use of raw_post_data has been troublesome. In this case, I don't see a way around this without changing how we send the data of the file.

Please sign in to comment.