From 9ddefa979a12aff2334d6e7048e142cfdef5bb89 Mon Sep 17 00:00:00 2001
From: Frédéric Guillot <fred@kanboard.net>
Date: Mon, 29 Jan 2018 15:56:30 -0800
Subject: Add CSRF check for task and project files upload

---
 assets/js/core/http.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'assets/js/core/http.js')

diff --git a/assets/js/core/http.js b/assets/js/core/http.js
index ad321cf1..3e02a4d7 100644
--- a/assets/js/core/http.js
+++ b/assets/js/core/http.js
@@ -83,9 +83,10 @@ KB.http.postForm = function (url, formElement) {
     return (new KB.http.request('POST', url, {}, formData)).execute();
 };
 
-KB.http.uploadFile = function (url, file, onProgress, onComplete, onError, onServerError) {
+KB.http.uploadFile = function (url, file, csrf, onProgress, onComplete, onError, onServerError) {
     var fd = new FormData();
     fd.append('files[]', file);
+    fd.append('csrf_token', csrf);
 
     var xhr = new XMLHttpRequest();
     xhr.upload.addEventListener('progress', onProgress);
-- 
cgit v1.2.3