From a126d99b3c87c12d6da86a32f0615ad36ec99d60 Mon Sep 17 00:00:00 2001
From: Alexandre Alapetite <alexandre@alapetite.fr>
Date: Sat, 30 Aug 2014 18:31:50 +0200
Subject: Bug referer for systems with non-standard HTTP port

Now tests also for the scheme and port, which must be identical to the
ones in the referer.

https://github.com/marienfressinaud/FreshRSS/issues/565#issuecomment-53916915
https://github.com/marienfressinaud/FreshRSS/issues/554
---
 app/FreshRSS.php | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

(limited to 'app/FreshRSS.php')

diff --git a/app/FreshRSS.php b/app/FreshRSS.php
index 30f711e20..cf6390f68 100644
--- a/app/FreshRSS.php
+++ b/app/FreshRSS.php
@@ -6,8 +6,7 @@ class FreshRSS extends Minz_FrontController {
 		}
 		$loginOk = $this->accessControl(Minz_Session::param('currentUser', ''));
 		$this->loadParamsView();
-		if (Minz_Request::isPost() && (empty($_SERVER['HTTP_REFERER']) ||
-			Minz_Request::getDomainName() !== parse_url($_SERVER['HTTP_REFERER'], PHP_URL_HOST))) {
+		if (Minz_Request::isPost() && !Minz_Request::isRefererFromSameDomain()) {
 			$loginOk = false;	//Basic protection against XSRF attacks
 			Minz_Error::error(
 				403,
-- 
cgit v1.2.3