do a proper same-origin check
String prefix matching is hacky and provides insufficient checking if it does not end with a /.
This commit is contained in:
parent
ff1d9f56a1
commit
d138755806
27
csrf.go
27
csrf.go
@ -2,14 +2,19 @@ package main
|
|||||||
|
|
||||||
import (
|
import (
|
||||||
"net/http"
|
"net/http"
|
||||||
"strings"
|
"net/url"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
// Do a strict referrer check, matching against both the Origin header (if
|
||||||
|
// present) and the Referrer header. If a list of headers is specified, then
|
||||||
|
// Referrer checking will be skipped if any of those headers are present.
|
||||||
func strictReferrerCheck(r *http.Request, prefix string, whitelistHeaders []string) bool {
|
func strictReferrerCheck(r *http.Request, prefix string, whitelistHeaders []string) bool {
|
||||||
p := strings.TrimSuffix(prefix, "/")
|
p, _ := url.Parse(prefix)
|
||||||
|
|
||||||
|
// if there's an Origin header, check it and skip other checks
|
||||||
if origin := r.Header.Get("Origin"); origin != "" {
|
if origin := r.Header.Get("Origin"); origin != "" {
|
||||||
// if there's an Origin header, check it and ignore the rest
|
u, _ := url.Parse(origin)
|
||||||
return strings.HasPrefix(origin, p)
|
return sameOrigin(u, p)
|
||||||
}
|
}
|
||||||
|
|
||||||
for _, header := range whitelistHeaders {
|
for _, header := range whitelistHeaders {
|
||||||
@ -18,9 +23,13 @@ func strictReferrerCheck(r *http.Request, prefix string, whitelistHeaders []stri
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if referrer := r.Header.Get("Referer"); !strings.HasPrefix(referrer, p) {
|
referrer := r.Header.Get("Referer")
|
||||||
return false
|
u, _ := url.Parse(referrer)
|
||||||
}
|
return sameOrigin(u, p)
|
||||||
|
}
|
||||||
return true
|
|
||||||
|
// Check if two URLs have the same origin
|
||||||
|
func sameOrigin(u1, u2 *url.URL) bool {
|
||||||
|
// host also contains the port if one was specified
|
||||||
|
return (u1.Scheme == u2.Scheme && u1.Host == u2.Host)
|
||||||
}
|
}
|
||||||
|
@ -4,6 +4,7 @@ import (
|
|||||||
"bytes"
|
"bytes"
|
||||||
"io"
|
"io"
|
||||||
"net/http"
|
"net/http"
|
||||||
|
"net/url"
|
||||||
"os"
|
"os"
|
||||||
"path"
|
"path"
|
||||||
"strings"
|
"strings"
|
||||||
@ -26,8 +27,9 @@ func fileServeHandler(c web.C, w http.ResponseWriter, r *http.Request) {
|
|||||||
|
|
||||||
if !Config.allowHotlink {
|
if !Config.allowHotlink {
|
||||||
referer := r.Header.Get("Referer")
|
referer := r.Header.Get("Referer")
|
||||||
prefix := strings.TrimSuffix(Config.siteURL, "/")
|
u, _ := url.Parse(referer)
|
||||||
if referer != "" && !strings.HasPrefix(referer, prefix) {
|
p, _ := url.Parse(Config.siteURL)
|
||||||
|
if referer != "" && !sameOrigin(u, p) {
|
||||||
w.WriteHeader(403)
|
w.WriteHeader(403)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
Loading…
x
Reference in New Issue
Block a user