Browse Source

strict referrer check improvements

* Always check Origin if it is present, regardless of headers sent
* Whitelist X-Requested-With header
pull/59/head
mutantmonkey 9 years ago
parent
commit
a7ae455ac1
  1. 11
      csrf.go
  2. 4
      upload.go

11
csrf.go

@ -6,21 +6,20 @@ import (
)
func strictReferrerCheck(r *http.Request, prefix string, whitelistHeaders []string) bool {
p := strings.TrimSuffix(prefix, "/")
if origin := r.Header.Get("Origin"); origin != "" && !strings.HasPrefix(origin, p) {
return false
}
for _, header := range whitelistHeaders {
if r.Header.Get(header) != "" {
return true
}
}
p := strings.TrimSuffix(prefix, "/")
if referrer := r.Header.Get("Referer"); !strings.HasPrefix(referrer, p) {
return false
}
if origin := r.Header.Get("Origin"); origin != "" && !strings.HasPrefix(origin, p) {
return false
}
return true
}

4
upload.go

@ -46,7 +46,7 @@ type Upload struct {
}
func uploadPostHandler(c web.C, w http.ResponseWriter, r *http.Request) {
if !strictReferrerCheck(r, Config.siteURL, []string{"Linx-Delete-Key", "Linx-Expiry", "Linx-Randomize"}) {
if !strictReferrerCheck(r, Config.siteURL, []string{"Linx-Delete-Key", "Linx-Expiry", "Linx-Randomize", "X-Requested-With"}) {
badRequestHandler(c, w, r)
return
}
@ -145,7 +145,7 @@ func uploadRemote(c web.C, w http.ResponseWriter, r *http.Request) {
}
} else {
// strict referrer checking is mandatory without remote auth keys
if !strictReferrerCheck(r, Config.siteURL, []string{"Linx-Delete-Key", "Linx-Expiry", "Linx-Randomize"}) {
if !strictReferrerCheck(r, Config.siteURL, []string{"Linx-Delete-Key", "Linx-Expiry", "Linx-Randomize", "X-Requested-With"}) {
badRequestHandler(c, w, r)
return
}

Loading…
Cancel
Save