search

neutronX / django-markdownx

Comprehensive Markdown plugin built for Django
https://neutronx.github.io/django-markdownx/
Other
863 stars 153 forks source link

getCookie function matches on partial matches #96

Open stevenvdr opened 6 years ago

stevenvdr commented 6 years ago

The function getCookies https://github.com/neutronX/django-markdownx/blob/de43019c84b5ae0512c89c7f8d9d08cdfd3b9393/markdownx/static/markdownx/js/markdownx.js#L589 reads out the cookies and then tries to match them against the given name. The function however matches name+'=' anywhere in the string so that also subname + name + '=' will be matched, causing the wrong cookie to be returned.

The function is used to get the 'csrftoken' cookie. The result of an incorrect lookup means that the csrf token will be rejected by the server.

An easy fix is to change the following line:

-              .filter(cookie => cookie.indexOf(`${name}=`) !== -1)[0];
+              .filter(cookie => cookie.trim().indexOf(`${name}=`) == 0)[0];

Would it be possible to fix this?

xenatisch commented 6 years ago

Thanks for pointing this out. I'll get onto this next week... or you can do it yourself an submit a pull request?

king-phyte commented 3 years ago

Please close this issue as it has been fixed on #172