User avatar upload endpoint is vulnerable to XSRF

Type atlassian
Reporter pepoirot
Modified 2017-02-16T02:07:01


Stash, as 2.12, will allows users to upload local avatars to their account (STASHDEV-6182).

That upload is submitted to a (non-API) end point that accepts a POST request with the avatar as [data-uri|].

Currently, because the form is submitted by AJAX, the end point is annotated with {{@IgnoresXsrf}}, as the front-end doesn't have a security token to submit along with the request. See [UserProfileController.uploadAvatar|] for the source.

The two alternatives to fix this (and remove the annotation) are: - submit the data as JSON instead of {{form-urlencoded}}, - get hold of a security token/value in the page and submit it as part of the AJAX request.