Verify that authenticated API calls are made from our domain name.

Evil forms on other websites could otherwise potentially be configured
to have action="https://gnusocial.example/api/statuses/update.json" or
whatever. XHR is already blocked with CORS stuff.

Really, why do browsers allow cross domain POSTs at all? Sigh. The web.
This commit is contained in:
Mikael Nordfeldth 2016-02-22 15:19:10 +01:00
parent c67b89e56b
commit 5f7032dfee
2 changed files with 9 additions and 2 deletions

View File

@ -85,8 +85,10 @@ class ApiAuthAction extends ApiAction
// NOTE: $this->scoped and $this->auth_user has to get set in // NOTE: $this->scoped and $this->auth_user has to get set in
// prepare(), not handle(), as subclasses use them in prepares. // prepare(), not handle(), as subclasses use them in prepares.
// Allow regular login session // Allow regular login session, but we have to double-check the
if (common_logged_in()) { // HTTP_REFERER value to avoid cross domain POSTing since the API
// doesn't use the "token" form field.
if (common_logged_in() && common_local_referer()) {
$this->scoped = Profile::current(); $this->scoped = Profile::current();
$this->auth_user = $this->scoped->getUser(); $this->auth_user = $this->scoped->getUser();
if (!$this->auth_user->hasRight(Right::API)) { if (!$this->auth_user->hasRight(Right::API)) {

View File

@ -264,6 +264,11 @@ function common_logged_in()
return (!is_null(common_current_user())); return (!is_null(common_current_user()));
} }
function common_local_referer()
{
return parse_url($_SERVER['HTTP_REFERER'], PHP_URL_HOST) === common_config('site', 'server');
}
function common_have_session() function common_have_session()
{ {
return (0 != strcmp(session_id(), '')); return (0 != strcmp(session_id(), ''));