From a1c024a34254626fc6e2226628cf3675becbf350 Mon Sep 17 00:00:00 2001
From: TheAMM <the.actual.amm@gmail.com>
Date: Mon, 22 May 2017 16:28:06 +0300
Subject: [PATCH] Re-enable CSRF token for upload & fix API CSRF handling

---
 nyaa/api_handler.py        | 4 ++--
 nyaa/forms.py              | 3 ---
 nyaa/templates/upload.html | 2 ++
 3 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/nyaa/api_handler.py b/nyaa/api_handler.py
index 4ddd510..dd5af3b 100644
--- a/nyaa/api_handler.py
+++ b/nyaa/api_handler.py
@@ -104,7 +104,7 @@ def api_upload(upload_request, user):
         return flask.make_response(flask.jsonify(
             {'Failure': ['No torrent file was attached.']}), 400)
 
-    form = forms.UploadForm(CombinedMultiDict((torrent_file, form_info)))
+    form = forms.UploadForm(CombinedMultiDict((torrent_file, form_info)), csrf_enabled=False)
     form.category.choices = _create_upload_category_choices()
 
     if upload_request.method == 'POST' and form.validate():
@@ -166,7 +166,7 @@ def v2_api_upload():
         mapped_dict[mapped_key] = request_data.get(key) or ''
 
     # Flask-WTF (very helpfully!!) automatically grabs the request form, so force a None formdata
-    upload_form = forms.UploadForm(None, data=mapped_dict)
+    upload_form = forms.UploadForm(None, data=mapped_dict, csrf_enabled=False)
     upload_form.category.choices = _create_upload_category_choices()
 
     if upload_form.validate():
diff --git a/nyaa/forms.py b/nyaa/forms.py
index f21b890..f1626d9 100644
--- a/nyaa/forms.py
+++ b/nyaa/forms.py
@@ -166,9 +166,6 @@ class EditForm(FlaskForm):
 
 
 class UploadForm(FlaskForm):
-
-    class Meta:
-        csrf = False
         
     torrent_file = FileField('Torrent file', [
         FileRequired()
diff --git a/nyaa/templates/upload.html b/nyaa/templates/upload.html
index b2df92f..e54beaa 100644
--- a/nyaa/templates/upload.html
+++ b/nyaa/templates/upload.html
@@ -14,6 +14,8 @@
 
 <div id="upload-drop-zone"><span>Drop here!</span></div>
 <form method="POST" enctype="multipart/form-data">
+	{{ upload_form.csrf_token }}
+
 	{% if config.ENFORCE_MAIN_ANNOUNCE_URL %}<p><strong>Important:</strong> Please include <kbd>{{ config.MAIN_ANNOUNCE_URL }}</kbd> in your trackers</p>{% endif %}
 	<div class="row">
 		<div class="col-md-6">