diff options
| author |  Alexandre Alapetite <alexandre@alapetite.fr>
| 2014-08-30 18:31:50 +0200 |
|---|---|---|
| committer | Alexandre Alapetite <alexandre@alapetite.fr>
| 2014-08-30 18:31:50 +0200 |
| commit | a126d99b3c87c12d6da86a32f0615ad36ec99d60 (patch) | |
| tree | ef1b93c6e5ddb7e69ebb4d505511de72f3f5193c /app | |
| parent | e411618836dc315620cc176809aed70893992aeb (diff) | |
Bug referer for systems with non-standard HTTP port
Now tests also for the scheme and port, which must be identical to the
ones in the referer.
https://github.com/marienfressinaud/FreshRSS/issues/565#issuecomment-53916915
https://github.com/marienfressinaud/FreshRSS/issues/554
Diffstat (limited to 'app')
| -rw-r--r-- | app/FreshRSS.php | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/app/FreshRSS.php b/app/FreshRSS.php index 30f711e20..cf6390f68 100644 --- a/app/FreshRSS.php +++ b/app/FreshRSS.php @@ -6,8 +6,7 @@ class FreshRSS extends Minz_FrontController { } $loginOk = $this->accessControl(Minz_Session::param('currentUser', '')); $this->loadParamsView(); - if (Minz_Request::isPost() && (empty($_SERVER['HTTP_REFERER']) || - Minz_Request::getDomainName() !== parse_url($_SERVER['HTTP_REFERER'], PHP_URL_HOST))) { + if (Minz_Request::isPost() && !Minz_Request::isRefererFromSameDomain()) { $loginOk = false; //Basic protection against XSRF attacks Minz_Error::error( 403, |