From 9f428fa21871052a0753420a7076f0f1b7fcf52b Mon Sep 17 00:00:00 2001 From: Ibrahim Serdar Acikgoz Date: Tue, 3 Feb 2026 12:11:59 +0100 Subject: [PATCH] harden CSRF check on deprecated acitvate policy API --- server/channels/api4/access_control.go | 9 ++++++--- server/i18n/en.json | 4 ++++ 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/server/channels/api4/access_control.go b/server/channels/api4/access_control.go index 078391032df..d5c28afe4d0 100644 --- a/server/channels/api4/access_control.go +++ b/server/channels/api4/access_control.go @@ -11,6 +11,7 @@ import ( "github.com/mattermost/mattermost/server/public/model" "github.com/mattermost/mattermost/server/public/shared/mlog" + "github.com/mattermost/mattermost/server/v8/channels/app" ) func (api *API) InitAccessControlPolicy() { @@ -392,9 +393,11 @@ func updateActiveStatus(c *Context, w http.ResponseWriter, r *http.Request) { return } - // CSRF barrier: only allow header-based auth (reject cookie-only sessions) - if r.Header.Get(model.HeaderAuth) == "" { - c.SetInvalidParam("Authorization") + // CSRF barrier: only allow header-based auth (reject cookie sessions) + token, tokenLocation := app.ParseAuthTokenFromRequest(r) + if token == "" || tokenLocation == app.TokenLocationCookie { + c.Err = model.NewAppError("updateActiveStatus", "api.context.session_cookie_not_allowed.app_error", nil, + "This endpoint requires header-based authentication", http.StatusUnauthorized) return } diff --git a/server/i18n/en.json b/server/i18n/en.json index 955201a9409..4f9c976f34d 100644 --- a/server/i18n/en.json +++ b/server/i18n/en.json @@ -1917,6 +1917,10 @@ "id": "api.context.session_expired.app_error", "translation": "Invalid or expired session, please login again." }, + { + "id": "api.context.session_cookie_not_allowed.app_error", + "translation": "Cookie-based authentication is not allowed for this endpoint. Please use header-based authentication." + }, { "id": "api.context.token_provided.app_error", "translation": "Session is not OAuth but token was provided in the query string."