From c080634a53dcb7446b005c4f7279cf45c16988a7 Mon Sep 17 00:00:00 2001 From: Quaternions Date: Sun, 31 Dec 2023 11:53:07 -0800 Subject: [PATCH] CSRF challenge --- src/main.rs | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/src/main.rs b/src/main.rs index ee19608..aa1e489 100644 --- a/src/main.rs +++ b/src/main.rs @@ -117,8 +117,9 @@ async fn upload_list(cookie:String,owner:Owner,asset_id_file_map:AssetIDFileMap) let owner=&owner; async move{ let mut url=reqwest::Url::parse("https://data.roblox.com/Data/Upload.ashx?json=1&type=Model&genreTypeId=1")?; + //url borrow scope { - let mut query=url.query_pairs_mut(); + let mut query=url.query_pairs_mut();//borrow here query.append_pair("assetid",asset_id.to_string().as_str()); match owner{ Owner::Group(group_id)=>{query.append_pair("groupId",group_id.to_string().as_str());}, @@ -126,10 +127,25 @@ async fn upload_list(cookie:String,owner:Owner,asset_id_file_map:AssetIDFileMap) } } - let resp=client.post(url) + let body=tokio::fs::read_to_string(file).await?; + let mut resp=client.post(url.clone()) .header("Cookie",cookie) - .body(tokio::fs::read_to_string(file).await?) + .body(body.clone()) .send().await?; + + //This is called a CSRF challenge apparently + if resp.status()==reqwest::StatusCode::FORBIDDEN{ + if let Some(csrf_token)=resp.headers().get("X-CSRF-Token"){ + resp=client.post(url) + .header("X-CSRF-Token",csrf_token) + .header("Cookie",cookie) + .body(body) + .send().await?; + }else{ + return Err(anyhow::Error::msg("Roblox returned 403 with no CSRF")); + } + } + Ok((asset_id,resp.bytes().await?)) } })