0

I'm trying to protect my upload controller method using the MVC ValidateAntiForgeryToken but I'm struggling to work out how to get the __RequestVerificationToken included in the post.

My action is like this:

[HttpPost, ValidateAntiForgeryToken]
public ActionResult FileUpload(HttpPostedFileBase qqfile)

Looking through the documentation for the uploader there aren't any exposed hooks that I can find that would allow me access outside the qq code to manipulate the form it generates.

Has anyone else managed to get this to work?

After editing the source file for the form creation my requests are still not passing the validation:

Request

http://localhost:54275/UserProfile/FileUpload?qqfile=266758_10150696082935268_8163320_o.jpg

Host: localhost:54275
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
X-Requested-With: XMLHttpRequest
X-File-Name: 266758_10150696082935268_8163320_o.jpg
Content-Type: application/octet-stream
X-Mime-Type: image/jpeg
Referer: http://localhost:54275/UserProfile/Edit
Content-Length: 625352
Cookie: __test=1; RememberMe=-1167340540^1#-5833880764017141030; __RequestVerificationToken=BEIHblTcEaCio_1_i6bJnSYmituqQfq9y2ge63T85w15pAhbPldPZqY8DhLTubmtmd9OLtAuJcHdmfaFHSbn1L7oAYAtxDJWdMOOzNrddhU1; DotNetOpenAuth.WebServerClient.XSRF-Session=O-l5-Hv0flYqKL27j0TGhA; .ASPXAUTH=52C5EDFB92A09FA0395676E23BE1EBBBF03D3E88EF7C81761B76C1C8EF67936C0D9FBFD730ED77B0246C49757828A7C17D0DD7644A1C50988ECFF4C3DEDF15783E5FD7C4BA97E484F9FD6460EB6A5310E27453B461E320D10E74A5F8AEE1C0A5B1367D0DB4060958B48DACB12E80AA23; TCSESSIONID=D9016B850A1BCFD6921E274467F52CEE
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Fiddler-Encoding: base64
Jammer
  • 9,969
  • 11
  • 68
  • 115

2 Answers2

1

I am using version 5.11.10 of FineUploader (rename of Valum's FileUploader FineUploader history mentioned) and it does contain the feature to specify a form, see Form Options

An example of a FineUpload with AntiForgeryToken validation if your form doesn't contain any other form values is to include a form with some id (testForm in below example) with the AntiForgeryToken. 

@using (Html.BeginForm(MVCHelpers.Bank.Transactions.UploadFile(), FormMethod.Post, new { id = "testForm" }))
{
    @Html.AntiForgeryToken()
}

And in the FineUploader specify the form it has to send also:

<div id="fileUploadContainer"></div>
<script>
    var uploader = new qq.FineUploader({
        element: document.getElementById("fileUploadContainer"),
        ...
        form: {
            element: "testForm",
            autoUpload: true
        }
    });
</script>

This enables you to upload files in combination with [ValidateAntiForgeryToken] on your Action. You can also specify a real form if the upload is part of other form values, by specifying the id of that form. Pay attention to the autoUpload true since it's false by default when you set a form element.

Community
  • 1
  • 1
Dacker
  • 892
  • 2
  • 8
  • 12
0

If you look in the source code it looks like you could add the antiforgery token code to the _createForm: function(iframe, params){...} portion of the uploader and be good to go. See the two answers here for more help.

Community
  • 1
  • 1
PlTaylor
  • 7,345
  • 11
  • 52
  • 94
  • Yeah I did see that code when I browsed it but hacking source like that will almost certainly end up getting missed when it's upgraded at a later date. Something I was attempting to avoid to be honest. Thanks. – Jammer Feb 19 '14 at 12:26
  • I already use some similar code for my Ajax stuff so I have all of that in place already I just didn't want to hack source files. – Jammer Feb 19 '14 at 12:26
  • the other option, that I haven't tested, might be to add the anti-forgery to the 'params' variable when you call the uploader. – PlTaylor Feb 19 '14 at 12:42
  • I've tried the params approach already and it doesn't work. I've just edited the form creation method and that doesn't work either ... very odd. – Jammer Feb 19 '14 at 12:46
  • Also, strangely, adding a breakpoint on the form creation method never gets hit either ... it gets weirder ... – Jammer Feb 19 '14 at 12:50
  • Can you capture the request with fiddler and post it? – PlTaylor Feb 19 '14 at 12:51
  • Done, I think the content type is stripping it out – Jammer Feb 19 '14 at 13:09
  • And if you do the params it doesn't add it to the end of the query string? – PlTaylor Feb 19 '14 at 14:24
  • No adding it as a query string value using the `params{}` option doesn't work either. I don't think the standard attribute supports query string transmission of the verification token, it expects it as part of the posted data. – Jammer Feb 21 '14 at 11:40