Profouzors
/
ProfouzorsLinx
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

strict referrer check improvements 

* Always check Origin if it is present, regardless of headers sent
* Whitelist X-Requested-With header
This commit is contained in:
mutantmonkey 2015-10-12 00:28:01 -07:00
parent 61147554a9
commit a7ae455ac1
2 changed files with 7 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
csrf.go
View File

@ -6,21 +6,20 @@ import (
) )
func strictReferrerCheck(r *http.Request, prefix string, whitelistHeaders []string) bool { func strictReferrerCheck(r *http.Request, prefix string, whitelistHeaders []string) bool {
p := strings.TrimSuffix(prefix, "/")
if origin := r.Header.Get("Origin"); origin != "" && !strings.HasPrefix(origin, p) {
return false
}
for _, header := range whitelistHeaders { for _, header := range whitelistHeaders {
if r.Header.Get(header) != "" { if r.Header.Get(header) != "" {
return true return true
} }
} }
p := strings.TrimSuffix(prefix, "/")
if referrer := r.Header.Get("Referer"); !strings.HasPrefix(referrer, p) { if referrer := r.Header.Get("Referer"); !strings.HasPrefix(referrer, p) {
return false return false
} }
if origin := r.Header.Get("Origin"); origin != "" && !strings.HasPrefix(origin, p) {
return false
}
return true return true
} }

4
upload.go
View File

@ -46,7 +46,7 @@ type Upload struct {
} }
func uploadPostHandler(c web.C, w http.ResponseWriter, r *http.Request) { func uploadPostHandler(c web.C, w http.ResponseWriter, r *http.Request) {
if !strictReferrerCheck(r, Config.siteURL, []string{"Linx-Delete-Key", "Linx-Expiry", "Linx-Randomize"}) { if !strictReferrerCheck(r, Config.siteURL, []string{"Linx-Delete-Key", "Linx-Expiry", "Linx-Randomize", "X-Requested-With"}) {
badRequestHandler(c, w, r) badRequestHandler(c, w, r)
return return
} }
@ -145,7 +145,7 @@ func uploadRemote(c web.C, w http.ResponseWriter, r *http.Request) {
} }
} else { } else {
// strict referrer checking is mandatory without remote auth keys // strict referrer checking is mandatory without remote auth keys
if !strictReferrerCheck(r, Config.siteURL, []string{"Linx-Delete-Key", "Linx-Expiry", "Linx-Randomize"}) { if !strictReferrerCheck(r, Config.siteURL, []string{"Linx-Delete-Key", "Linx-Expiry", "Linx-Randomize", "X-Requested-With"}) {
badRequestHandler(c, w, r) badRequestHandler(c, w, r)
return return
} }