add xsrf checks on files endpoints

Author: minrk

notebook/base/handlers.py

@@ -650,14 +650,21 @@ def content_security_policy(self):
         return super(AuthenticatedFileHandler, self).content_security_policy + \
                 "; sandbox allow-scripts"
 
+    @web.authenticated
+    def head(self, path):
+        self.check_xsrf_cookie()
+        return super(AuthenticatedFileHandler, self).head(path)
+
     @web.authenticated
     def get(self, path):
+        self.check_xsrf_cookie()
+
         if os.path.splitext(path)[1] == '.ipynb' or self.get_argument("download", False):
             name = path.rsplit('/', 1)[-1]
             self.set_attachment_header(name)
 
         return web.StaticFileHandler.get(self, path)
-    
+
     def get_content_type(self):
         path = self.absolute_path.strip('/')
         if '/' in path:

notebook/files/handlers.py

@@ -31,10 +31,13 @@ def content_security_policy(self):
 
     @web.authenticated
     def head(self, path):
-        self.get(path, include_body=False)
+        self.check_xsrf_cookie()
+        return self.get(path, include_body=False)
 
     @web.authenticated
     def get(self, path, include_body=True):
+        # /files/ requests must originate from the same site
+        self.check_xsrf_cookie()
         cm = self.contents_manager
 
         if cm.is_hidden(path) and not cm.allow_hidden:

notebook/services/nbconvert/handlers.py

@@ -9,6 +9,7 @@ class NbconvertRootHandler(APIHandler):
 
     @web.authenticated
     def get(self):
+        self.check_xsrf_cookie()
         try:
             from nbconvert.exporters import base
         except ImportError as e: