Merge pull request #950 from weseek/support/csrf

Support/csrf

src/server/routes/index.js

@@ -160,7 +160,7 @@ module.exports = function(crowi, app) {
   app.get('/me'                       , loginRequired(crowi, app) , me.index);
   app.get('/me/password'              , loginRequired(crowi, app) , me.password);
   app.get('/me/apiToken'              , loginRequired(crowi, app) , me.apiToken);
-  app.post('/me'                      , form.me.user              , loginRequired(crowi, app) , me.index);
+  app.post('/me'                      , loginRequired(crowi, app) , csrf , form.me.user , me.index);
   // external-accounts
   if (Config.isEnabledPassport(config)) {
     app.get('/me/external-accounts'                         , loginRequired(crowi, app) , me.externalAccounts.list);

src/server/views/me/index.html

@@ -106,6 +106,7 @@
 
       <div class="form-group">
         <div class="col-sm-offset-2 col-sm-10">
+          <input type="hidden" name="_csrf" value="{{ csrf() }}">
           <button type="submit" class="btn btn-primary">{{ t('Update') }}</button>
         </div>
       </div>