From a7ae455ac1949388c8dd1f9ee57f714121209162 Mon Sep 17 00:00:00 2001 From: mutantmonkey Date: Mon, 12 Oct 2015 00:28:01 -0700 Subject: [PATCH] strict referrer check improvements * Always check Origin if it is present, regardless of headers sent * Whitelist X-Requested-With header --- csrf.go | 11 +++++------ upload.go | 4 ++-- 2 files changed, 7 insertions(+), 8 deletions(-) diff --git a/csrf.go b/csrf.go index 61799db..fdf3d93 100644 --- a/csrf.go +++ b/csrf.go @@ -6,21 +6,20 @@ import ( ) func strictReferrerCheck(r *http.Request, prefix string, whitelistHeaders []string) bool { + p := strings.TrimSuffix(prefix, "/") + if origin := r.Header.Get("Origin"); origin != "" && !strings.HasPrefix(origin, p) { + return false + } + for _, header := range whitelistHeaders { if r.Header.Get(header) != "" { return true } } - p := strings.TrimSuffix(prefix, "/") - if referrer := r.Header.Get("Referer"); !strings.HasPrefix(referrer, p) { return false } - if origin := r.Header.Get("Origin"); origin != "" && !strings.HasPrefix(origin, p) { - return false - } - return true } diff --git a/upload.go b/upload.go index 63582d9..a4a9032 100644 --- a/upload.go +++ b/upload.go @@ -46,7 +46,7 @@ type Upload struct { } func uploadPostHandler(c web.C, w http.ResponseWriter, r *http.Request) { - if !strictReferrerCheck(r, Config.siteURL, []string{"Linx-Delete-Key", "Linx-Expiry", "Linx-Randomize"}) { + if !strictReferrerCheck(r, Config.siteURL, []string{"Linx-Delete-Key", "Linx-Expiry", "Linx-Randomize", "X-Requested-With"}) { badRequestHandler(c, w, r) return } @@ -145,7 +145,7 @@ func uploadRemote(c web.C, w http.ResponseWriter, r *http.Request) { } } else { // strict referrer checking is mandatory without remote auth keys - if !strictReferrerCheck(r, Config.siteURL, []string{"Linx-Delete-Key", "Linx-Expiry", "Linx-Randomize"}) { + if !strictReferrerCheck(r, Config.siteURL, []string{"Linx-Delete-Key", "Linx-Expiry", "Linx-Randomize", "X-Requested-With"}) { badRequestHandler(c, w, r) return }