Require CSRF check on custom alias creation (#1977)

2023-12-20 16:15:01 +01:00 · 2023-12-20 16:15:01 +01:00 · 1dfb0e3356
parent 2a9c1c5658
commit 1dfb0e3356
2 changed files with 7 additions and 0 deletions
--- a/app/dashboard/views/custom_alias.py
+++ b/app/dashboard/views/custom_alias.py
@ -24,6 +24,7 @@ from app.models import (
    AliasMailbox,
    DomainDeletedAlias,
 )
+from app.utils import CSRFValidationForm


@dashboard_bp.route("/custom_alias", methods=["GET", "POST"])
@ -48,9 +49,13 @@ def custom_alias():
            at_least_a_premium_domain = True
            break

+    csrf_form = CSRFValidationForm()
    mailboxes = current_user.mailboxes()

    if request.method == "POST":
+        if not csrf_form.validate():
+            flash("Invalid request", "warning")
+            return redirect(request.url)
        alias_prefix = request.form.get("prefix").strip().lower().replace(" ", "")
        signed_alias_suffix = request.form.get("signed-alias-suffix")
        mailbox_ids = request.form.getlist("mailboxes")
@ -164,4 +169,5 @@ def custom_alias():
        alias_suffixes=alias_suffixes,
        at_least_a_premium_domain=at_least_a_premium_domain,
        mailboxes=mailboxes,
+        csrf_form=csrf_form,
    )
--- a/templates/dashboard/custom_alias.html
+++ b/templates/dashboard/custom_alias.html
@ -93,6 +93,7 @@
        </div>
        <div class="row">
          <div class="col p-1">
+            {{ csrf_form.csrf_token }}
            <button type="submit" id="create" class="btn btn-primary mt-1">Create</button>
          </div>
        </div>