mirror of
				https://github.com/esphome/esphome.git
				synced 2025-10-26 12:43:48 +00:00 
			
		
		
		
	Require xsrf/csrf when using a password (#6396)
This commit is contained in:
		| @@ -688,6 +688,11 @@ class MainRequestHandler(BaseHandler): | ||||
|     @authenticated | ||||
|     def get(self) -> None: | ||||
|         begin = bool(self.get_argument("begin", False)) | ||||
|         if settings.using_password: | ||||
|             # Simply accessing the xsrf_token sets the cookie for us | ||||
|             self.xsrf_token  # pylint: disable=pointless-statement | ||||
|         else: | ||||
|             self.clear_cookie("_xsrf") | ||||
|  | ||||
|         self.render( | ||||
|             "index.template.html", | ||||
| @@ -1102,6 +1107,7 @@ def make_app(debug=get_bool_env(ENV_DEV)) -> tornado.web.Application: | ||||
|         "log_function": log_function, | ||||
|         "websocket_ping_interval": 30.0, | ||||
|         "template_path": get_base_frontend_path(), | ||||
|         "xsrf_cookies": settings.using_password, | ||||
|     } | ||||
|     rel = settings.relative_url | ||||
|     return tornado.web.Application( | ||||
|   | ||||
| @@ -12,7 +12,7 @@ pyserial==3.5 | ||||
| platformio==6.1.13  # When updating platformio, also update Dockerfile | ||||
| esptool==4.7.0 | ||||
| click==8.1.7 | ||||
| esphome-dashboard==20231107.0 | ||||
| esphome-dashboard==20240319.0 | ||||
| aioesphomeapi==23.1.1 | ||||
| zeroconf==0.131.0 | ||||
| python-magic==0.4.27 | ||||
|   | ||||
		Reference in New Issue
	
	Block a user