diff options
| author |  Alexandre Alapetite <alexandre@alapetite.fr>
| 2014-08-01 23:22:41 +0200 |
|---|---|---|
| committer | Alexandre Alapetite <alexandre@alapetite.fr>
| 2014-08-01 23:22:41 +0200 |
| commit | a0930a5ad6e3cb9d02ee7d3e02a5d9918d53f5d6 (patch) | |
| tree | cec3504731ee342f720544c9ef9cb17b793bcf38 /app/FreshRSS.php | |
| parent | d3f730287d28ecdbb8bff6445bca5944794503fd (diff) | |
Strict Referer domain against XSRF
https://github.com/marienfressinaud/FreshRSS/issues/554
Diffstat (limited to 'app/FreshRSS.php')
| -rw-r--r-- | app/FreshRSS.php | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/app/FreshRSS.php b/app/FreshRSS.php index cd6048f75..3443589c6 100644 --- a/app/FreshRSS.php +++ b/app/FreshRSS.php @@ -6,8 +6,8 @@ class FreshRSS extends Minz_FrontController { } $loginOk = $this->accessControl(Minz_Session::param('currentUser', '')); $this->loadParamsView(); - if (Minz_Request::isPost() && !empty($_SERVER['HTTP_REFERER']) && - Minz_Request::getDomainName() !== parse_url($_SERVER['HTTP_REFERER'], PHP_URL_HOST)) { + if (Minz_Request::isPost() && (empty($_SERVER['HTTP_REFERER']) || + Minz_Request::getDomainName() !== parse_url($_SERVER['HTTP_REFERER'], PHP_URL_HOST))) { $loginOk = false; //Basic protection against XSRF attacks Minz_Error::error( 403, |