diff options
| author |  Marien Fressinaud <dev@marienfressinaud.fr>
| 2014-09-17 14:21:56 +0200 |
|---|---|---|
| committer | Marien Fressinaud <dev@marienfressinaud.fr>
| 2014-09-17 14:21:56 +0200 |
| commit | fc7d2a0bf271e43a9e6001dccef61ec0762eb840 (patch) | |
| tree | 3b59047da35e6acca85d0e0831f3e8951e11402f | |
| parent | 75bf305b2f084958d43689b3781d03a29cc21f60 (diff) | |
Move http referer test into lib_rss
Rename method (coding style)
Change in app/FreshRSS.php
Improve test of app/install.php
| -rw-r--r-- | app/FreshRSS.php | 2 | ||||
| -rw-r--r-- | app/install.php | 2 | ||||
| -rw-r--r-- | lib/Minz/Request.php | 14 | ||||
| -rw-r--r-- | lib/lib_rss.php | 14 |
4 files changed, 16 insertions, 16 deletions
diff --git a/app/FreshRSS.php b/app/FreshRSS.php index 6cca27f78..347b8392f 100644 --- a/app/FreshRSS.php +++ b/app/FreshRSS.php @@ -6,7 +6,7 @@ class FreshRSS extends Minz_FrontController { } $loginOk = $this->accessControl(Minz_Session::param('currentUser', '')); $this->loadParamsView(); - if (Minz_Request::isPost() && !Minz_Request::isRefererFromSameDomain()) { + if (Minz_Request::isPost() && !is_referer_from_same_domain()) { $loginOk = false; //Basic protection against XSRF attacks Minz_Error::error( 403, diff --git a/app/install.php b/app/install.php index f31764545..362ffec48 100644 --- a/app/install.php +++ b/app/install.php @@ -307,7 +307,7 @@ function checkStep1() { $log = LOG_PATH && is_writable(LOG_PATH); $favicons = is_writable(DATA_PATH . '/favicons'); $persona = is_writable(DATA_PATH . '/persona'); - $http_referer = !empty($_SERVER['HTTP_REFERER']); + $http_referer = is_referer_from_same_domain(); return array( 'php' => $php ? 'ok' : 'ko', diff --git a/lib/Minz/Request.php b/lib/Minz/Request.php index ec4e25a6b..52f53012f 100644 --- a/lib/Minz/Request.php +++ b/lib/Minz/Request.php @@ -84,20 +84,6 @@ class Minz_Request { return $_SERVER['HTTP_HOST']; } - public static function isRefererFromSameDomain() { - if (empty($_SERVER['HTTP_REFERER'])) { - return false; - } - $host = parse_url(((isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on') ? 'https://' : 'http://') . - (empty($_SERVER['HTTP_HOST']) ? $_SERVER['SERVER_NAME'] : $_SERVER['HTTP_HOST'])); - $referer = parse_url($_SERVER['HTTP_REFERER']); - if (empty($host['scheme']) || empty($referer['scheme']) || $host['scheme'] !== $referer['scheme'] || - empty($host['host']) || empty($referer['host']) || $host['host'] !== $referer['host']) { - return false; - } - return (isset($host['port']) ? $host['port'] : 0) === (isset($referer['port']) ? $referer['port'] : 0); - } - /** * Détermine la base de l'url * @return la base de l'url diff --git a/lib/lib_rss.php b/lib/lib_rss.php index 823f53716..31c9cdbc1 100644 --- a/lib/lib_rss.php +++ b/lib/lib_rss.php @@ -230,3 +230,17 @@ function cryptAvailable() { } return false; } + +function is_referer_from_same_domain() { + if (empty($_SERVER['HTTP_REFERER'])) { + return false; + } + $host = parse_url(((isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on') ? 'https://' : 'http://') . + (empty($_SERVER['HTTP_HOST']) ? $_SERVER['SERVER_NAME'] : $_SERVER['HTTP_HOST'])); + $referer = parse_url($_SERVER['HTTP_REFERER']); + if (empty($host['scheme']) || empty($referer['scheme']) || $host['scheme'] !== $referer['scheme'] || + empty($host['host']) || empty($referer['host']) || $host['host'] !== $referer['host']) { + return false; + } + return (isset($host['port']) ? $host['port'] : 0) === (isset($referer['port']) ? $referer['port'] : 0); +} |