diff options
author | Paul Duncan <pabs@pablotron.org> | 2016-05-21 14:02:52 -0400 |
---|---|---|
committer | Paul Duncan <pabs@pablotron.org> | 2016-05-21 14:02:52 -0400 |
commit | 000a5915a143f52aa46f8838947e08b6b96e6bff (patch) | |
tree | 2846af468a7ede7ccd2ad77266a4997e5cf994eb | |
parent | 1640651d01fe5443f3a9c807303014f1cbb2ce43 (diff) | |
download | guff-000a5915a143f52aa46f8838947e08b6b96e6bff.tar.bz2 guff-000a5915a143f52aa46f8838947e08b6b96e6bff.zip |
refactor origin check
-rw-r--r-- | src/guff.cr | 29 |
1 files changed, 15 insertions, 14 deletions
diff --git a/src/guff.cr b/src/guff.cr index e123eff..2702d7e 100644 --- a/src/guff.cr +++ b/src/guff.cr @@ -452,6 +452,14 @@ module Guff def initialize(@context : Context) super() end + + protected def valid_origin_headers?(headers : HTTP::Headers) + # FIXME: need to compare these against something rather than + # just making sure that they are there + %w{origin referer}.any? do |key| + headers[key]? && headers[key].size > 0 + end + end end abstract class AuthenticatedHandler < Handler @@ -506,7 +514,8 @@ module Guff def call(context : HTTP::Server::Context) req_path = context.request.path.not_nil! - if matching_request?(context.request.method, req_path) + if matching_request?(context.request.method, req_path) && + valid_origin_headers?(context.request.headers) # get expanded path to file if abs_path = expand_path(req_path) # get file digest @@ -601,7 +610,9 @@ module Guff when "POST" begin # check for valid origin or referer header - check_request_headers(context.request.headers) + unless valid_origin_headers?(context.request.headers) + raise "missing origin and referer headers" + end # create session session_id = @context.session.create({ @@ -678,17 +689,6 @@ module Guff # return user id user_id end - - private def check_request_headers(headers : HTTP::Headers) - # FIXME: need to compare these against something rather than - # just making sure that they are there - raise "missing origin and referer headers" unless %w{ - origin - referer - }.any? do |key| - headers[key]? && headers[key].size > 0 - end - end end class LogoutPageHandler < Handler @@ -696,7 +696,8 @@ module Guff def call(context : HTTP::Server::Context) if context.request.method == "GET" && - PATH_RE.match(context.request.path.not_nil!) + PATH_RE.match(context.request.path.not_nil!) && + valid_origin_headers?(context.request.headers) # delete session @context.session.delete |