diff options
| -rw-r--r-- | app/FreshRSS.php | 3 | ||||
| -rw-r--r-- | lib/Minz/Request.php | 14 |
2 files changed, 15 insertions, 2 deletions
diff --git a/app/FreshRSS.php b/app/FreshRSS.php index 30f711e20..cf6390f68 100644 --- a/app/FreshRSS.php +++ b/app/FreshRSS.php @@ -6,8 +6,7 @@ class FreshRSS extends Minz_FrontController { } $loginOk = $this->accessControl(Minz_Session::param('currentUser', '')); $this->loadParamsView(); - if (Minz_Request::isPost() && (empty($_SERVER['HTTP_REFERER']) || - Minz_Request::getDomainName() !== parse_url($_SERVER['HTTP_REFERER'], PHP_URL_HOST))) { + if (Minz_Request::isPost() && !Minz_Request::isRefererFromSameDomain()) { $loginOk = false; //Basic protection against XSRF attacks Minz_Error::error( 403, diff --git a/lib/Minz/Request.php b/lib/Minz/Request.php index 52f53012f..ec4e25a6b 100644 --- a/lib/Minz/Request.php +++ b/lib/Minz/Request.php @@ -84,6 +84,20 @@ class Minz_Request { return $_SERVER['HTTP_HOST']; } + public static function isRefererFromSameDomain() { + if (empty($_SERVER['HTTP_REFERER'])) { + return false; + } + $host = parse_url(((isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on') ? 'https://' : 'http://') . + (empty($_SERVER['HTTP_HOST']) ? $_SERVER['SERVER_NAME'] : $_SERVER['HTTP_HOST'])); + $referer = parse_url($_SERVER['HTTP_REFERER']); + if (empty($host['scheme']) || empty($referer['scheme']) || $host['scheme'] !== $referer['scheme'] || + empty($host['host']) || empty($referer['host']) || $host['host'] !== $referer['host']) { + return false; + } + return (isset($host['port']) ? $host['port'] : 0) === (isset($referer['port']) ? $referer['port'] : 0); + } + /** * Détermine la base de l'url * @return la base de l'url |