From 96652d08d3badbdd17de2dec3b256c1376fedb86 Mon Sep 17 00:00:00 2001
From: Hannes Rantzsch <hannes.rantzsch@checkmk.com>
Date: Wed, 11 Sep 2024 11:55:17 +0200
Subject: [PATCH] csrf_token is marked with _

CMK-18866

Change-Id: I60bd4f0a674c12c198dfed88aee0bb392971cea7
---
 cmk/gui/htmllib/html.py                       | 2 +-
 cmk/gui/utils/csrf_token.py                   | 4 ++--
 cmk/gui/utils/urls.py                         | 4 ++--
 cmk/gui/watolib/hosts_and_folders.py          | 2 +-
 packages/cmk-frontend/src/js/modules/ajax.ts  | 6 +++---
 packages/cmk-frontend/src/js/modules/forms.ts | 2 +-
 6 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/cmk/gui/htmllib/html.py b/cmk/gui/htmllib/html.py
index b0d0a742947..274f2691782 100644
--- a/cmk/gui/htmllib/html.py
+++ b/cmk/gui/htmllib/html.py
@@ -459,7 +459,7 @@ def begin_form(
             enctype=enctype if method.lower() == "post" else None,
         )
         if hasattr(session, "session_info"):
-            self.hidden_field("csrf_token", session.session_info.csrf_token)
+            self.hidden_field("_csrf_token", session.session_info.csrf_token)
 
         self.hidden_field("filled_in", name, add_var=True)
         if add_transid:
diff --git a/cmk/gui/utils/csrf_token.py b/cmk/gui/utils/csrf_token.py
index f3da257f9a9..2c185228aff 100644
--- a/cmk/gui/utils/csrf_token.py
+++ b/cmk/gui/utils/csrf_token.py
@@ -53,9 +53,9 @@ def check_csrf_token(token: str | None = None) -> None:
     if isinstance(session.user, LoggedInNobody):
         return
 
-    csrf_token = token or request.get_str_input("csrf_token")
+    csrf_token = token or request.get_str_input("_csrf_token")
     if csrf_token is None:
-        csrf_token = request.get_request().get("csrf_token")
+        csrf_token = request.get_request().get("_csrf_token")
 
     if csrf_token is None:
         log_security_event(
diff --git a/cmk/gui/utils/urls.py b/cmk/gui/utils/urls.py
index 43928b500db..911955891d1 100644
--- a/cmk/gui/utils/urls.py
+++ b/cmk/gui/utils/urls.py
@@ -241,7 +241,7 @@ def makeactionuri(
 ) -> str:
     session_vars: HTTPVariables = [("_transid", transaction_manager.get())]
     if session and hasattr(session, "session_info"):
-        session_vars.append(("csrf_token", session.session_info.csrf_token))
+        session_vars.append(("_csrf_token", session.session_info.csrf_token))
 
     return makeuri(request, addvars + session_vars, filename=filename, delvars=delvars)
 
@@ -254,7 +254,7 @@ def makeactionuri_contextless(
 ) -> str:
     session_vars: HTTPVariables = [("_transid", transaction_manager.get())]
     if session and hasattr(session, "session_info"):
-        session_vars.append(("csrf_token", session.session_info.csrf_token))
+        session_vars.append(("_csrf_token", session.session_info.csrf_token))
 
     return makeuri_contextless(request, addvars + session_vars, filename=filename)
 
diff --git a/cmk/gui/watolib/hosts_and_folders.py b/cmk/gui/watolib/hosts_and_folders.py
index acccad22293..2bcdfc3009c 100644
--- a/cmk/gui/watolib/hosts_and_folders.py
+++ b/cmk/gui/watolib/hosts_and_folders.py
@@ -3598,7 +3598,7 @@ def folder_preserving_link(add_vars: HTTPVariables) -> str:
 def make_action_link(vars_: HTTPVariables) -> str:
     session_vars: HTTPVariables = [("_transid", transactions.get())]
     if session and hasattr(session, "session_info"):
-        session_vars.append(("csrf_token", session.session_info.csrf_token))
+        session_vars.append(("_csrf_token", session.session_info.csrf_token))
 
     return folder_preserving_link(vars_ + session_vars)
 
diff --git a/packages/cmk-frontend/src/js/modules/ajax.ts b/packages/cmk-frontend/src/js/modules/ajax.ts
index 82265ba2b79..7e7db9d884e 100644
--- a/packages/cmk-frontend/src/js/modules/ajax.ts
+++ b/packages/cmk-frontend/src/js/modules/ajax.ts
@@ -133,11 +133,11 @@ export function call_ajax<HandlerData = any>(
     }
     if (
         typeof args.post_data == "string" &&
-        !args.post_data.includes("&csrf_token=") &&
-        !args.post_data.startsWith("csrf_token=")
+        !args.post_data.includes("&_csrf_token=") &&
+        !args.post_data.startsWith("_csrf_token=")
     ) {
         args.post_data +=
-            "&csrf_token=" + encodeURIComponent(global_csrf_token);
+            "&_csrf_token=" + encodeURIComponent(global_csrf_token);
     }
 
     AJAX.send(args.post_data);
diff --git a/packages/cmk-frontend/src/js/modules/forms.ts b/packages/cmk-frontend/src/js/modules/forms.ts
index b4e6e60d4b2..e61f28c64fd 100644
--- a/packages/cmk-frontend/src/js/modules/forms.ts
+++ b/packages/cmk-frontend/src/js/modules/forms.ts
@@ -482,7 +482,7 @@ export function confirm_link(
             document.createElement("input"),
             {
                 type: "hidden",
-                name: "csrf_token",
+                name: "_csrf_token",
                 value: global_csrf_token,
             }
         );