Security improvements

no issue
- added CSRF protection
- changed session handling to express.session
- changed session handling to change session id
- added config property useCookieSession
- added file extension check for /ghost/upload
- removed /ghost/debug/db/reset

ghost/admin/assets/lib/uploader.js

@@ -64,6 +64,9 @@
 
                 $dropzone.find('.js-fileupload').fileupload().fileupload("option", {
                     url: '/ghost/upload/',
+                    headers: {
+                        'X-CSRF-Token': $("meta[name='csrf-param']").attr('content')
+                    },
                     add: function (e, data) {
                         $dropzone.find('.js-fileupload').removeClass('right');
                         $dropzone.find('.js-url, button.centre').remove();

ghost/admin/init.js

@@ -23,6 +23,16 @@
 
     _.extend(Ghost, Backbone.Events);
 
+    Backbone.oldsync = Backbone.sync;
+    // override original sync method to make header request contain csrf token
+    Backbone.sync = function (method, model, options, error) {
+        options.beforeSend = function (xhr) {
+            xhr.setRequestHeader('X-CSRF-Token', $("meta[name='csrf-param']").attr('content'));
+        };
+        /* call the old sync method */
+        return Backbone.oldsync(method, model, options, error);
+    };
+
     Ghost.init = function () {
         Ghost.router = new Ghost.Router();
 

ghost/admin/views/base.js

@@ -202,6 +202,9 @@
             if (self.className.indexOf('notification-persistent') !== -1) {
                 $.ajax({
                     type: "DELETE",
+                    headers: {
+                        'X-CSRF-Token': $("meta[name='csrf-param']").attr('content')
+                    },
                     url: '/api/v0.1/notifications/' + $(self).find('.close').data('id')
                 }).done(function (result) {
                     bbSelf.$el.slideUp(250, function () {
@@ -231,6 +234,9 @@
                 bbSelf = this;
             $.ajax({
                 type: "DELETE",
+                headers: {
+                    'X-CSRF-Token': $("meta[name='csrf-param']").attr('content')
+                },
                 url: '/api/v0.1/notifications/' + $(self).data('id')
             }).done(function (result) {
                 var height = bbSelf.$('.js-notification').outerHeight(true),

ghost/admin/views/login.js

@@ -33,6 +33,9 @@
                 $.ajax({
                     url: '/ghost/signin/',
                     type: 'POST',
+                    headers: {
+                        'X-CSRF-Token': $("meta[name='csrf-param']").attr('content')
+                    },
                     data: {
                         email: email,
                         password: password,
@@ -87,6 +90,9 @@
                 $.ajax({
                     url: '/ghost/signup/',
                     type: 'POST',
+                    headers: {
+                        'X-CSRF-Token': $("meta[name='csrf-param']").attr('content')
+                    },
                     data: {
                         name: name,
                         email: email,
@@ -136,6 +142,9 @@
                 $.ajax({
                     url: '/ghost/forgotten/',
                     type: 'POST',
+                    headers: {
+                        'X-CSRF-Token': $("meta[name='csrf-param']").attr('content')
+                    },
                     data: {
                         email: email
                     },

ghost/admin/views/settings.js

@@ -351,6 +351,9 @@
                 $.ajax({
                     url: '/ghost/changepw/',
                     type: 'POST',
+                    headers: {
+                        'X-CSRF-Token': $("meta[name='csrf-param']").attr('content')
+                    },
                     data: {
                         password: oldPassword,
                         newpassword: newPassword,