From 17f911c6dc59361f5df7bc3d2ac6b341768f12f2 Mon Sep 17 00:00:00 2001
From: Anand Doshi <anand@erpnext.com>
Date: Fri, 25 Sep 2015 12:55:44 +0530
Subject: [PATCH] [fix] csrf for open_url_post

---
 frappe/auth.py                     | 7 ++++++-
 frappe/public/js/legacy/handler.js | 1 +
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/frappe/auth.py b/frappe/auth.py
index 72fdadd9a9..2cff14e097 100644
--- a/frappe/auth.py
+++ b/frappe/auth.py
@@ -61,7 +61,12 @@ class HTTPRequest:
 				# not via boot
 				return
 
-			if frappe.local.session.data.csrf_token != frappe.get_request_header("X-Frappe-CSRF-Token"):
+			csrf_token = frappe.get_request_header("X-Frappe-CSRF-Token")
+			if not csrf_token and "csrf_token" in frappe.local.form_dict:
+				csrf_token = frappe.local.form_dict.csrf_token
+				del frappe.local.form_dict["csrf_token"]
+
+			if frappe.local.session.data.csrf_token != csrf_token:
 				frappe.local.flags.disable_traceback = True
 				frappe.throw(_("Invalid Request"), frappe.CSRFTokenError)
 
diff --git a/frappe/public/js/legacy/handler.js b/frappe/public/js/legacy/handler.js
index 96d3f7adb9..9b0ee5a656 100644
--- a/frappe/public/js/legacy/handler.js
+++ b/frappe/public/js/legacy/handler.js
@@ -86,6 +86,7 @@ function open_url_post(URL, PARAMS, new_window) {
 	if(new_window){
 		temp.target = '_blank';
 	}
+	PARAMS["csrf_token"] = frappe.csrf_token;
 	for(var x in PARAMS) {
 		var opt=document.createElement("textarea");
 		opt.name=x;