From d7becafd593c2958d8a241928412ddf4ba801a42 Mon Sep 17 00:00:00 2001
From: Min RK <benjaminrk@gmail.com>
Date: Fri, 18 Jan 2019 12:32:40 +0100
Subject: [PATCH] add xsrf checks on files endpoints

---
 notebook/base/handlers.py               | 9 ++++++++-
 notebook/files/handlers.py              | 5 ++++-
 notebook/services/nbconvert/handlers.py | 1 +
 3 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/notebook/base/handlers.py b/notebook/base/handlers.py
index cac040f06e..b458445b14 100755
--- a/notebook/base/handlers.py
+++ b/notebook/base/handlers.py
@@ -650,14 +650,21 @@ def content_security_policy(self):
         return super(AuthenticatedFileHandler, self).content_security_policy + \
                 "; sandbox allow-scripts"
 
+    @web.authenticated
+    def head(self, path):
+        self.check_xsrf_cookie()
+        return super(AuthenticatedFileHandler, self).head(path)
+
     @web.authenticated
     def get(self, path):
+        self.check_xsrf_cookie()
+
         if os.path.splitext(path)[1] == '.ipynb' or self.get_argument("download", False):
             name = path.rsplit('/', 1)[-1]
             self.set_attachment_header(name)
 
         return web.StaticFileHandler.get(self, path)
-    
+
     def get_content_type(self):
         path = self.absolute_path.strip('/')
         if '/' in path:
diff --git a/notebook/files/handlers.py b/notebook/files/handlers.py
index 7c798d5cc6..192de1f923 100644
--- a/notebook/files/handlers.py
+++ b/notebook/files/handlers.py
@@ -31,10 +31,13 @@ def content_security_policy(self):
 
     @web.authenticated
     def head(self, path):
-        self.get(path, include_body=False)
+        self.check_xsrf_cookie()
+        return self.get(path, include_body=False)
 
     @web.authenticated
     def get(self, path, include_body=True):
+        # /files/ requests must originate from the same site
+        self.check_xsrf_cookie()
         cm = self.contents_manager
 
         if cm.is_hidden(path) and not cm.allow_hidden:
diff --git a/notebook/services/nbconvert/handlers.py b/notebook/services/nbconvert/handlers.py
index 63e731238f..2a9897fc47 100644
--- a/notebook/services/nbconvert/handlers.py
+++ b/notebook/services/nbconvert/handlers.py
@@ -9,6 +9,7 @@ class NbconvertRootHandler(APIHandler):
 
     @web.authenticated
     def get(self):
+        self.check_xsrf_cookie()
         try:
             from nbconvert.exporters import base
         except ImportError as e: