Verify that authenticated API calls are made from our domain name.
Evil forms on other websites could otherwise potentially be configured to have action="https://gnusocial.example/api/statuses/update.json" or whatever. XHR is already blocked with CORS stuff. Really, why do browsers allow cross domain POSTs at all? Sigh. The web.
This commit is contained in:
parent
c67b89e56b
commit
5f7032dfee
@ -85,8 +85,10 @@ class ApiAuthAction extends ApiAction
|
|||||||
// NOTE: $this->scoped and $this->auth_user has to get set in
|
// NOTE: $this->scoped and $this->auth_user has to get set in
|
||||||
// prepare(), not handle(), as subclasses use them in prepares.
|
// prepare(), not handle(), as subclasses use them in prepares.
|
||||||
|
|
||||||
// Allow regular login session
|
// Allow regular login session, but we have to double-check the
|
||||||
if (common_logged_in()) {
|
// HTTP_REFERER value to avoid cross domain POSTing since the API
|
||||||
|
// doesn't use the "token" form field.
|
||||||
|
if (common_logged_in() && common_local_referer()) {
|
||||||
$this->scoped = Profile::current();
|
$this->scoped = Profile::current();
|
||||||
$this->auth_user = $this->scoped->getUser();
|
$this->auth_user = $this->scoped->getUser();
|
||||||
if (!$this->auth_user->hasRight(Right::API)) {
|
if (!$this->auth_user->hasRight(Right::API)) {
|
||||||
|
@ -264,6 +264,11 @@ function common_logged_in()
|
|||||||
return (!is_null(common_current_user()));
|
return (!is_null(common_current_user()));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function common_local_referer()
|
||||||
|
{
|
||||||
|
return parse_url($_SERVER['HTTP_REFERER'], PHP_URL_HOST) === common_config('site', 'server');
|
||||||
|
}
|
||||||
|
|
||||||
function common_have_session()
|
function common_have_session()
|
||||||
{
|
{
|
||||||
return (0 != strcmp(session_id(), ''));
|
return (0 != strcmp(session_id(), ''));
|
||||||
|
Loading…
Reference in New Issue
Block a user