Merge pull request #58 from mutantmonkey/referrer_fixup2
trim trailing / for origin checking
This commit is contained in:
commit
4fee922543
2
csrf.go
2
csrf.go
|
@ -16,7 +16,7 @@ func strictReferrerCheck(r *http.Request, prefix string, whitelistHeaders []stri
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
|
||||||
if origin := r.Header.Get("Origin"); origin != "" && !strings.HasPrefix(origin, prefix) {
|
if origin := r.Header.Get("Origin"); origin != "" && !strings.HasPrefix(origin, strings.TrimSuffix(prefix, "/")) {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -248,7 +248,7 @@ func TestPostCodeUploadBadOrigin(t *testing.T) {
|
||||||
req.PostForm = form
|
req.PostForm = form
|
||||||
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
||||||
req.Header.Set("Referer", Config.siteURL)
|
req.Header.Set("Referer", Config.siteURL)
|
||||||
req.Header.Set("Origin", "http://example.com/")
|
req.Header.Set("Origin", "http://example.com")
|
||||||
|
|
||||||
mux.ServeHTTP(w, req)
|
mux.ServeHTTP(w, req)
|
||||||
|
|
||||||
|
@ -274,6 +274,7 @@ func TestPostCodeExpiryJSONUpload(t *testing.T) {
|
||||||
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
||||||
req.Header.Set("Accept", "application/json")
|
req.Header.Set("Accept", "application/json")
|
||||||
req.Header.Set("Referer", Config.siteURL)
|
req.Header.Set("Referer", Config.siteURL)
|
||||||
|
req.Header.Set("Origin", strings.TrimSuffix(Config.siteURL, "/"))
|
||||||
|
|
||||||
mux.ServeHTTP(w, req)
|
mux.ServeHTTP(w, req)
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue