Require CSRF check on custom alias creation (#1977)

simple-login · Dec 20, 2023 · 1dfb0e3 · 1dfb0e3
1 parent 2a9c1c5
commit 1dfb0e3
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 0 deletions.
diff --git a/app/dashboard/views/custom_alias.py b/app/dashboard/views/custom_alias.py
@@ -24,6 +24,7 @@
     AliasMailbox,
     DomainDeletedAlias,
 )
+from app.utils import CSRFValidationForm
 
 
 @dashboard_bp.route("/custom_alias", methods=["GET", "POST"])
@@ -48,9 +49,13 @@ def custom_alias():
             at_least_a_premium_domain = True
             break
 
+    csrf_form = CSRFValidationForm()
     mailboxes = current_user.mailboxes()
 
     if request.method == "POST":
+        if not csrf_form.validate():
+            flash("Invalid request", "warning")
+            return redirect(request.url)
         alias_prefix = request.form.get("prefix").strip().lower().replace(" ", "")
         signed_alias_suffix = request.form.get("signed-alias-suffix")
         mailbox_ids = request.form.getlist("mailboxes")
@@ -164,4 +169,5 @@ def custom_alias():
         alias_suffixes=alias_suffixes,
         at_least_a_premium_domain=at_least_a_premium_domain,
         mailboxes=mailboxes,
+        csrf_form=csrf_form,
     )
diff --git a/templates/dashboard/custom_alias.html b/templates/dashboard/custom_alias.html
@@ -93,6 +93,7 @@ <h1 class="h3">New Custom Alias</h1>
         </div>
         <div class="row">
           <div class="col p-1">
+            {{ csrf_form.csrf_token }}
             <button type="submit" id="create" class="btn btn-primary mt-1">Create</button>
           </div>
         </div>