csrf_token is marked with _

CMK-18866 Change-Id: I60bd4f0a674c12c198dfed88aee0bb392971cea7
Checkmk · Sep 17, 2024 · 96652d0 · 96652d0
1 parent e8af2b5
commit 96652d0
Show file tree

Hide file tree

Showing 6 changed files with 10 additions and 10 deletions.
diff --git a/cmk/gui/htmllib/html.py b/cmk/gui/htmllib/html.py
@@ -459,7 +459,7 @@ def begin_form(
             enctype=enctype if method.lower() == "post" else None,
         )
         if hasattr(session, "session_info"):
-            self.hidden_field("csrf_token", session.session_info.csrf_token)
+            self.hidden_field("_csrf_token", session.session_info.csrf_token)
 
         self.hidden_field("filled_in", name, add_var=True)
         if add_transid:

diff --git a/cmk/gui/utils/csrf_token.py b/cmk/gui/utils/csrf_token.py
@@ -53,9 +53,9 @@ def check_csrf_token(token: str | None = None) -> None:
     if isinstance(session.user, LoggedInNobody):
         return
 
-    csrf_token = token or request.get_str_input("csrf_token")
+    csrf_token = token or request.get_str_input("_csrf_token")
     if csrf_token is None:
-        csrf_token = request.get_request().get("csrf_token")
+        csrf_token = request.get_request().get("_csrf_token")
 
     if csrf_token is None:
         log_security_event(

diff --git a/cmk/gui/utils/urls.py b/cmk/gui/utils/urls.py
@@ -241,7 +241,7 @@ def makeactionuri(
 ) -> str:
     session_vars: HTTPVariables = [("_transid", transaction_manager.get())]
     if session and hasattr(session, "session_info"):
-        session_vars.append(("csrf_token", session.session_info.csrf_token))
+        session_vars.append(("_csrf_token", session.session_info.csrf_token))
 
     return makeuri(request, addvars + session_vars, filename=filename, delvars=delvars)
 
@@ -254,7 +254,7 @@ def makeactionuri_contextless(
 ) -> str:
     session_vars: HTTPVariables = [("_transid", transaction_manager.get())]
     if session and hasattr(session, "session_info"):
-        session_vars.append(("csrf_token", session.session_info.csrf_token))
+        session_vars.append(("_csrf_token", session.session_info.csrf_token))
 
     return makeuri_contextless(request, addvars + session_vars, filename=filename)
 

diff --git a/cmk/gui/watolib/hosts_and_folders.py b/cmk/gui/watolib/hosts_and_folders.py
@@ -3598,7 +3598,7 @@ def folder_preserving_link(add_vars: HTTPVariables) -> str:
 def make_action_link(vars_: HTTPVariables) -> str:
     session_vars: HTTPVariables = [("_transid", transactions.get())]
     if session and hasattr(session, "session_info"):
-        session_vars.append(("csrf_token", session.session_info.csrf_token))
+        session_vars.append(("_csrf_token", session.session_info.csrf_token))
 
     return folder_preserving_link(vars_ + session_vars)
 

diff --git a/packages/cmk-frontend/src/js/modules/ajax.ts b/packages/cmk-frontend/src/js/modules/ajax.ts
@@ -133,11 +133,11 @@ export function call_ajax<HandlerData = any>(
     }
     if (
         typeof args.post_data == "string" &&
-        !args.post_data.includes("&csrf_token=") &&
-        !args.post_data.startsWith("csrf_token=")
+        !args.post_data.includes("&_csrf_token=") &&
+        !args.post_data.startsWith("_csrf_token=")
     ) {
         args.post_data +=
-            "&csrf_token=" + encodeURIComponent(global_csrf_token);
+            "&_csrf_token=" + encodeURIComponent(global_csrf_token);
     }
 
     AJAX.send(args.post_data);

diff --git a/packages/cmk-frontend/src/js/modules/forms.ts b/packages/cmk-frontend/src/js/modules/forms.ts
@@ -482,7 +482,7 @@ export function confirm_link(
             document.createElement("input"),
             {
                 type: "hidden",
-                name: "csrf_token",
+                name: "_csrf_token",
                 value: global_csrf_token,
             }
         );