Browse Source

trim trailing / for origin checking

pull/58/head
mutantmonkey 9 years ago
parent
commit
39d874374d
  1. 2
      csrf.go
  2. 3
      server_test.go

2
csrf.go

@ -16,7 +16,7 @@ func strictReferrerCheck(r *http.Request, prefix string, whitelistHeaders []stri
return false return false
} }
if origin := r.Header.Get("Origin"); origin != "" && !strings.HasPrefix(origin, prefix) {
if origin := r.Header.Get("Origin"); origin != "" && !strings.HasPrefix(origin, strings.TrimSuffix(prefix, "/")) {
return false return false
} }

3
server_test.go

@ -248,7 +248,7 @@ func TestPostCodeUploadBadOrigin(t *testing.T) {
req.PostForm = form req.PostForm = form
req.Header.Set("Content-Type", "application/x-www-form-urlencoded") req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
req.Header.Set("Referer", Config.siteURL) req.Header.Set("Referer", Config.siteURL)
req.Header.Set("Origin", "http://example.com/")
req.Header.Set("Origin", "http://example.com")
mux.ServeHTTP(w, req) mux.ServeHTTP(w, req)
@ -274,6 +274,7 @@ func TestPostCodeExpiryJSONUpload(t *testing.T) {
req.Header.Set("Content-Type", "application/x-www-form-urlencoded") req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
req.Header.Set("Accept", "application/json") req.Header.Set("Accept", "application/json")
req.Header.Set("Referer", Config.siteURL) req.Header.Set("Referer", Config.siteURL)
req.Header.Set("Origin", strings.TrimSuffix(Config.siteURL, "/"))
mux.ServeHTTP(w, req) mux.ServeHTTP(w, req)

Loading…
Cancel
Save