diff options
| author |  Alexandre Alapetite <alexandre@alapetite.fr>
| 2014-08-01 20:20:25 +0200 |
|---|---|---|
| committer | Alexandre Alapetite <alexandre@alapetite.fr>
| 2014-08-01 20:20:25 +0200 |
| commit | 35be1769de28df3fff1a26e40d1d6b1e587a2847 (patch) | |
| tree | 17c0def5f8acd4910d8cf43c051b9087f5379c0b /app/FreshRSS.php | |
| parent | aafcd3a879225414ca7fb5a9b74ba06e5ece8c12 (diff) | |
Basic protection against XSRF using Referer
https://github.com/marienfressinaud/FreshRSS/issues/554
Also edited the error controler to use the log message passed in
Minz_Error::error().
Diffstat (limited to 'app/FreshRSS.php')
| -rw-r--r-- | app/FreshRSS.php | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/app/FreshRSS.php b/app/FreshRSS.php index 84cf3429b..cd6048f75 100644 --- a/app/FreshRSS.php +++ b/app/FreshRSS.php @@ -6,6 +6,16 @@ class FreshRSS extends Minz_FrontController { } $loginOk = $this->accessControl(Minz_Session::param('currentUser', '')); $this->loadParamsView(); + if (Minz_Request::isPost() && !empty($_SERVER['HTTP_REFERER']) && + Minz_Request::getDomainName() !== parse_url($_SERVER['HTTP_REFERER'], PHP_URL_HOST)) { + $loginOk = false; //Basic protection against XSRF attacks + Minz_Error::error( + 403, + array('error' => array(Minz_Translate::t('access_denied') . ' [HTTP_REFERER=' . + htmlspecialchars(empty($_SERVER['HTTP_REFERER']) ? '' : $_SERVER['HTTP_REFERER']) . ']')) + ); + } + Minz_View::_param('loginOk', $loginOk); $this->loadStylesAndScripts($loginOk); //TODO: Do not load that when not needed, e.g. some Ajax requests $this->loadNotifications(); } @@ -95,7 +105,6 @@ class FreshRSS extends Minz_FrontController { break; } } - Minz_View::_param ('loginOk', $loginOk); return $loginOk; } |