diff --git a/cpanel/gniza/lib/GnizaCPanel/UI.pm b/cpanel/gniza/lib/GnizaCPanel/UI.pm index 82719b2..80fc7b2 100644 --- a/cpanel/gniza/lib/GnizaCPanel/UI.pm +++ b/cpanel/gniza/lib/GnizaCPanel/UI.pm @@ -120,7 +120,13 @@ sub generate_csrf_token { } } - _safe_write(_csrf_file(), time() . "\n" . $token . "\n"); + my $csrf_file = _csrf_file(); + unless (_safe_write($csrf_file, time() . "\n" . $token . "\n")) { + if (open my $fh, '>', $csrf_file) { + print $fh time() . "\n" . $token . "\n"; + close $fh; + } + } $_current_csrf_token = $token; return $token; diff --git a/whm/gniza-whm/lib/GnizaWHM/UI.pm b/whm/gniza-whm/lib/GnizaWHM/UI.pm index 349baf4..72ffe1f 100644 --- a/whm/gniza-whm/lib/GnizaWHM/UI.pm +++ b/whm/gniza-whm/lib/GnizaWHM/UI.pm @@ -158,7 +158,14 @@ sub generate_csrf_token { } _ensure_dir($CSRF_DIR); - _safe_write("$CSRF_DIR/token", time() . "\n" . $token . "\n"); + unless (_safe_write("$CSRF_DIR/token", time() . "\n" . $token . "\n")) { + # O_EXCL can fail if unlink didn't fully remove the file; + # fall back to plain overwrite so the token is always persisted. + if (open my $fh, '>', "$CSRF_DIR/token") { + print $fh time() . "\n" . $token . "\n"; + close $fh; + } + } $_current_csrf_token = $token; return $token; diff --git a/whm/gniza-whm/settings.cgi b/whm/gniza-whm/settings.cgi index 5bcf26d..189b3f8 100644 --- a/whm/gniza-whm/settings.cgi +++ b/whm/gniza-whm/settings.cgi @@ -282,7 +282,11 @@ function gnizaTestSmtp() { fetch('settings.cgi', { method: 'POST', body: fd }) .then(function(r) { return r.json(); }) .then(function(data) { - if (data.csrf) { gnizaCsrf = data.csrf; } + if (data.csrf) { + gnizaCsrf = data.csrf; + var hf = document.querySelector('input[name="gniza_csrf"]'); + if (hf) hf.value = data.csrf; + } gnizaSmtpToast(data.success ? 'success' : 'error', data.message); }) .catch(function(err) {