CSRF challenge

This commit is contained in:
Quaternions 2023-12-31 11:53:07 -08:00
parent 5b68f23755
commit c080634a53

View File

@ -117,8 +117,9 @@ async fn upload_list(cookie:String,owner:Owner,asset_id_file_map:AssetIDFileMap)
let owner=&owner; let owner=&owner;
async move{ async move{
let mut url=reqwest::Url::parse("https://data.roblox.com/Data/Upload.ashx?json=1&type=Model&genreTypeId=1")?; let mut url=reqwest::Url::parse("https://data.roblox.com/Data/Upload.ashx?json=1&type=Model&genreTypeId=1")?;
//url borrow scope
{ {
let mut query=url.query_pairs_mut(); let mut query=url.query_pairs_mut();//borrow here
query.append_pair("assetid",asset_id.to_string().as_str()); query.append_pair("assetid",asset_id.to_string().as_str());
match owner{ match owner{
Owner::Group(group_id)=>{query.append_pair("groupId",group_id.to_string().as_str());}, Owner::Group(group_id)=>{query.append_pair("groupId",group_id.to_string().as_str());},
@ -126,10 +127,25 @@ async fn upload_list(cookie:String,owner:Owner,asset_id_file_map:AssetIDFileMap)
} }
} }
let resp=client.post(url) let body=tokio::fs::read_to_string(file).await?;
let mut resp=client.post(url.clone())
.header("Cookie",cookie) .header("Cookie",cookie)
.body(tokio::fs::read_to_string(file).await?) .body(body.clone())
.send().await?; .send().await?;
//This is called a CSRF challenge apparently
if resp.status()==reqwest::StatusCode::FORBIDDEN{
if let Some(csrf_token)=resp.headers().get("X-CSRF-Token"){
resp=client.post(url)
.header("X-CSRF-Token",csrf_token)
.header("Cookie",cookie)
.body(body)
.send().await?;
}else{
return Err(anyhow::Error::msg("Roblox returned 403 with no CSRF"));
}
}
Ok((asset_id,resp.bytes().await?)) Ok((asset_id,resp.bytes().await?))
} }
}) })