Bug referer for systems with non-standard HTTP port

Now tests also for the scheme and port, which must be identical to the
ones in the referer.

https://github.com/marienfressinaud/FreshRSS/issues/565#issuecomment-53916915
https://github.com/marienfressinaud/FreshRSS/issues/554

2 files changed, 15 insertions, 2 deletions

diff --git a/app/FreshRSS.php b/app/FreshRSS.php
index 30f711e20..cf6390f68 100644
--- a/app/FreshRSS.php
+++ b/app/FreshRSS.php
@@ -6,8 +6,7 @@ class FreshRSS extends Minz_FrontController {
 		}
 		$loginOk = $this->accessControl(Minz_Session::param('currentUser', ''));
 		$this->loadParamsView();
-		if (Minz_Request::isPost() && (empty($_SERVER['HTTP_REFERER']) ||
-			Minz_Request::getDomainName() !== parse_url($_SERVER['HTTP_REFERER'], PHP_URL_HOST))) {
+		if (Minz_Request::isPost() && !Minz_Request::isRefererFromSameDomain()) {
 			$loginOk = false;	//Basic protection against XSRF attacks
 			Minz_Error::error(
 				403,
diff --git a/lib/Minz/Request.php b/lib/Minz/Request.php
index 52f53012f..ec4e25a6b 100644
--- a/lib/Minz/Request.php
+++ b/lib/Minz/Request.php
@@ -84,6 +84,20 @@ class Minz_Request {
 		return $_SERVER['HTTP_HOST'];
 	}
 
+	public static function isRefererFromSameDomain() {
+		if (empty($_SERVER['HTTP_REFERER'])) {
+			return false;
+		}
+		$host = parse_url(((isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on') ? 'https://' : 'http://') .
+			(empty($_SERVER['HTTP_HOST']) ? $_SERVER['SERVER_NAME'] : $_SERVER['HTTP_HOST']));
+		$referer = parse_url($_SERVER['HTTP_REFERER']);
+		if (empty($host['scheme']) || empty($referer['scheme']) || $host['scheme'] !== $referer['scheme'] ||
+		    empty($host['host']) || empty($referer['host']) || $host['host'] !== $referer['host']) {
+			return false;
+		}
+		return (isset($host['port']) ? $host['port'] : 0) === (isset($referer['port']) ? $referer['port'] : 0);
+	}
+
 	/**
 	 * Détermine la base de l'url
 	 * @return la base de l'url