From 91014078c0d606d70f90daa99df2dd7f71c138c4 Mon Sep 17 00:00:00 2001
From: JackDandy <jackdandy@users.noreply.github.com>
Date: Wed, 4 Apr 2018 15:31:21 +0100
Subject: [PATCH] Change add xsrf protection support to media processing
 scripts.

---
 CHANGES.md                               | 1 +
 autoProcessTV/SickGear-NG/SickGear-NG.py | 3 +++
 autoProcessTV/autoProcessTV.py           | 9 +++++++--
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/CHANGES.md b/CHANGES.md
index 653c204b..c3be39c1 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -32,6 +32,7 @@
 [develop changelog]
 * Change pick up the stragglers late to the more security party
 * Change remove redundant xsrf handling for POSTs that don't use web and API
+* Change add xsrf protection support to media processing scripts
 
 
 ### 0.15.4 (2018-04-03 16:10:00 UTC)
diff --git a/autoProcessTV/SickGear-NG/SickGear-NG.py b/autoProcessTV/SickGear-NG/SickGear-NG.py
index 72f91f2d..08bd61b6 100755
--- a/autoProcessTV/SickGear-NG/SickGear-NG.py
+++ b/autoProcessTV/SickGear-NG/SickGear-NG.py
@@ -485,7 +485,10 @@ def call_sickgear(nzb_name, dir_name, test=False):
         s = requests.Session()
         if username or password:
             login = '%s%s:%s%s/login' % (protocol, host, port, webroot)
+            r = s.get(login)
             login_params = {'username': username, 'password': password}
+            if 401 == r.status_code and r.cookies.get('_xsrf'):
+                login_params['_xsrf'] = r.cookies.get('_xsrf')
             s.post(login, data=login_params, stream=True, verify=False)
         r = s.get(url, auth=(username, password), params=params, stream=True, verify=False, timeout=900)
     except (StandardError, Exception):
diff --git a/autoProcessTV/autoProcessTV.py b/autoProcessTV/autoProcessTV.py
index 0ea32186..2c91bc21 100755
--- a/autoProcessTV/autoProcessTV.py
+++ b/autoProcessTV/autoProcessTV.py
@@ -132,7 +132,12 @@ def processEpisode(dir_to_process, org_NZB_name=None, status=None):
 
     try:
         sess = requests.Session()
-        sess.post(login_url, data={'username': username, 'password': password}, stream=True, verify=False)
+        if username or password:
+            r = sess.get(login_url)
+            login_params = {'username': username, 'password': password}
+            if 401 == r.status_code and r.cookies.get('_xsrf'):
+                login_params['_xsrf'] = r.cookies.get('_xsrf')
+            sess.post(login_url, data=login_params, stream=True, verify=False)
         result = sess.get(url, params=params, stream=True, verify=False)
         if result.status_code == 401:
             print('Verify and use correct username and password in autoProcessTV.cfg')
@@ -150,4 +155,4 @@ def processEpisode(dir_to_process, org_NZB_name=None, status=None):
 if __name__ == '__main__':
     print ('This module is supposed to be used as import in other scripts and not run standalone.')
     print ('Use sabToSickBeard instead.')
-    sys.exit(1)
\ No newline at end of file
+    sys.exit(1)