Enhance CSRF protection in upload endpoints

KrzysztofPajak · KrzysztofPajak · commit c681e15d8fca · 2025-05-11T20:36:11.000+02:00
diff --git a/src/Web/Grand.SharedUIResources/Views/Shared/EditorTemplates/MultiPicture.cshtml b/src/Web/Grand.SharedUIResources/Views/Shared/EditorTemplates/MultiPicture.cshtml
@@ -32,7 +32,10 @@
                     Reference: '@reference',
                     ObjectId: '@objectId'
                 },
-                inputName: "files"
+                inputName: "files",
+                customHeaders: {
+                    'X-CSRF-TOKEN': $('input[name="__RequestVerificationToken"]').val()
+                }
             },
             template: "@(clientId)-qq-template",
             multiple: true,
diff --git a/src/Web/Grand.SharedUIResources/Views/Shared/EditorTemplates/Picture.cshtml b/src/Web/Grand.SharedUIResources/Views/Shared/EditorTemplates/Picture.cshtml
@@ -44,7 +44,10 @@ else
                     Reference: '@ViewData["Reference"]',
                     ObjectId: '@ViewData["ObjectId"]'
                 },
-                inputName: "file"
+                inputName: "file",
+                customHeaders: {
+                    'X-CSRF-TOKEN': $('input[name="__RequestVerificationToken"]').val()
+                }
             },            
             template: "@(clientId)-qq-template",
             multiple: false,
diff --git a/src/Web/Grand.Web.Admin/Controllers/PictureController.cs b/src/Web/Grand.Web.Admin/Controllers/PictureController.cs
@@ -32,8 +32,7 @@ public PictureController(
         _mediaSettings = mediaSettings;
     }
 
-    [HttpPost]
-    [IgnoreAntiforgeryToken]
+    [HttpPost]   
     public virtual async Task<IActionResult> AsyncUpload(IFormFile file, Reference reference = Reference.None, string objectId = "")
     {
         if (file == null)
@@ -73,8 +72,7 @@ await _pictureService.InsertPicture(fileBinary, contentType, null, reference: re
         });
     }
 
-    [HttpPost]
-    [IgnoreAntiforgeryToken]
+    [HttpPost]   
     public virtual async Task<IActionResult> AsyncLogoUpload(IFormFile file)
     {
         if (!await _permissionService.Authorize(StandardPermission.ManageSettings))
diff --git a/src/Web/Grand.Web.Admin/Controllers/ProductController.cs b/src/Web/Grand.Web.Admin/Controllers/ProductController.cs
@@ -1028,8 +1028,7 @@ public async Task<IActionResult> AssociatedProductAddPopup(ProductModel.AddAssoc
 
     #region Product pictures
 
-    [HttpPost]
-    [IgnoreAntiforgeryToken]
+    [HttpPost]    
     public async Task<IActionResult> ProductPictureAdd(
         IFormFileCollection files,
         Reference reference, string objectId,
diff --git a/src/Web/Grand.Web.Store/Controllers/PictureController.cs b/src/Web/Grand.Web.Store/Controllers/PictureController.cs
@@ -33,7 +33,6 @@ public PictureController(
     }
 
     [HttpPost]
-    [IgnoreAntiforgeryToken]
     public virtual async Task<IActionResult> AsyncUpload(IFormFile file, Reference reference = Reference.None, string objectId = "")
     {
         if (file == null)
@@ -74,7 +73,6 @@ await _pictureService.InsertPicture(fileBinary, contentType, null, reference: re
     }
 
     [HttpPost]
-    [IgnoreAntiforgeryToken]
     public virtual async Task<IActionResult> AsyncLogoUpload(IFormFile file)
     {
         if (!await _permissionService.Authorize(StandardPermission.ManageSettings))
diff --git a/src/Web/Grand.Web.Store/Controllers/ProductController.cs b/src/Web/Grand.Web.Store/Controllers/ProductController.cs
@@ -1087,7 +1087,6 @@ public async Task<IActionResult> AssociatedProductAddPopup(ProductModel.AddAssoc
     #region Product pictures
 
     [HttpPost]
-    [IgnoreAntiforgeryToken]
     public async Task<IActionResult> ProductPictureAdd(
         IFormFileCollection files,
         Reference reference, string objectId,
diff --git a/src/Web/Grand.Web.Vendor/Controllers/ProductController.cs b/src/Web/Grand.Web.Vendor/Controllers/ProductController.cs
@@ -1074,8 +1074,7 @@ public async Task<IActionResult> AssociatedProductAddPopup(ProductModel.AddAssoc
 
     #region Product pictures
 
-    [HttpPost]
-    [IgnoreAntiforgeryToken]
+    [HttpPost]    
     public async Task<IActionResult> ProductPictureAdd(
         IFormFileCollection files,
         Reference reference, string objectId,

Original file line number	Diff line number	Diff line change
`@@ -32,8 +32,7 @@ public PictureController(`
`32`	`32`	`_mediaSettings = mediaSettings;`
`33`	`33`	`}`
`34`	`34`
`35`		`- [HttpPost]`
`36`		`- [IgnoreAntiforgeryToken]`
	`35`	`+ [HttpPost]`
`37`	`36`	`public virtual async Task<IActionResult> AsyncUpload(IFormFile file, Reference reference = Reference.None, string objectId = "")`
`38`	`37`	`{`
`39`	`38`	`if (file == null)`
`@@ -73,8 +72,7 @@ await _pictureService.InsertPicture(fileBinary, contentType, null, reference: re`
`73`	`72`	`});`
`74`	`73`	`}`
`75`	`74`
`76`		`- [HttpPost]`
`77`		`- [IgnoreAntiforgeryToken]`
	`75`	`+ [HttpPost]`
`78`	`76`	`public virtual async Task<IActionResult> AsyncLogoUpload(IFormFile file)`
`79`	`77`	`{`
`80`	`78`	`if (!await _permissionService.Authorize(StandardPermission.ManageSettings))`
Original file line number	Diff line number	Diff line change
`@@ -33,7 +33,6 @@ public PictureController(`
`33`	`33`	`}`
`34`	`34`
`35`	`35`	`[HttpPost]`
`36`		`- [IgnoreAntiforgeryToken]`
`37`	`36`	`public virtual async Task<IActionResult> AsyncUpload(IFormFile file, Reference reference = Reference.None, string objectId = "")`
`38`	`37`	`{`
`39`	`38`	`if (file == null)`
`@@ -74,7 +73,6 @@ await _pictureService.InsertPicture(fileBinary, contentType, null, reference: re`
`74`	`73`	`}`
`75`	`74`
`76`	`75`	`[HttpPost]`
`77`		`- [IgnoreAntiforgeryToken]`
`78`	`76`	`public virtual async Task<IActionResult> AsyncLogoUpload(IFormFile file)`
`79`	`77`	`{`
`80`	`78`	`if (!await _permissionService.Authorize(StandardPermission.ManageSettings))`