From 13b03b232ba9a5b3c30784adc3a8bf8f03b90f63 Mon Sep 17 00:00:00 2001
From: hesch <hesch@users.noreply.github.com>
Date: Thu, 11 Feb 2021 17:38:39 +0100
Subject: refactor: remove referer checks, as they are no longer needed
 (replaced by csrf tokens) (#3432)

---
 lib/lib_install.php |  4 +---
 lib/lib_rss.php     | 17 -----------------
 2 files changed, 1 insertion(+), 20 deletions(-)

(limited to 'lib')

diff --git a/lib/lib_install.php b/lib/lib_install.php
index f8b2ba969..e1a4c98dd 100644
--- a/lib/lib_install.php
+++ b/lib/lib_install.php
@@ -46,7 +46,6 @@ function checkRequirements($dbType = '') {
 	$tmp = TMP_PATH && is_writable(TMP_PATH);
 	$users = USERS_PATH && is_writable(USERS_PATH);
 	$favicons = is_writable(join_path(DATA_PATH, 'favicons'));
-	$http_referer = is_referer_from_same_domain();
 
 	return array(
 		'php' => $php ? 'ok' : 'ko',
@@ -67,10 +66,9 @@ function checkRequirements($dbType = '') {
 		'tmp' => $tmp ? 'ok' : 'ko',
 		'users' => $users ? 'ok' : 'ko',
 		'favicons' => $favicons ? 'ok' : 'ko',
-		'http_referer' => $http_referer ? 'ok' : 'ko',
 		'message' => $message ?: '',
 		'all' => $php && $curl && $pdo && $pcre && $ctype && $dom && $xml &&
-		         $data && $cache && $tmp && $users && $favicons && $http_referer && $message == '' ? 'ok' : 'ko'
+		         $data && $cache && $tmp && $users && $favicons && $message == '' ? 'ok' : 'ko'
 	);
 }
 
diff --git a/lib/lib_rss.php b/lib/lib_rss.php
index 39ac2c1f8..5d1fe6f43 100644
--- a/lib/lib_rss.php
+++ b/lib/lib_rss.php
@@ -393,23 +393,6 @@ function cryptAvailable() {
 	return false;
 }
 
-function is_referer_from_same_domain() {
-	if (empty($_SERVER['HTTP_REFERER'])) {
-		return true;	//Accept empty referer while waiting for good support of meta referrer same-origin policy in browsers
-	}
-	$host = parse_url(((isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on') ? 'https://' : 'http://') .
-		(empty($_SERVER['HTTP_HOST']) ? $_SERVER['SERVER_NAME'] : $_SERVER['HTTP_HOST']));
-	$referer = parse_url($_SERVER['HTTP_REFERER']);
-	if (empty($host['host']) || empty($referer['host']) || $host['host'] !== $referer['host']) {
-		return false;
-	}
-	//TODO: check 'scheme', taking into account the case of a proxy
-	if ((isset($host['port']) ? $host['port'] : 0) !== (isset($referer['port']) ? $referer['port'] : 0)) {
-		return false;
-	}
-	return true;
-}
-
 
 /**
  * Check PHP and its extensions are well-installed.
-- 
cgit v1.2.3