aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPaul Duncan <pabs@pablotron.org>2016-05-21 13:35:31 -0400
committerPaul Duncan <pabs@pablotron.org>2016-05-21 13:35:31 -0400
commit3eb07fcdf2a227009faa11eddf96fe63952533c6 (patch)
tree463005a5e84b5dcefa3231a5199574363919ea3b
parentb49749b64c9c82546150f89de5ec41259fccebdc (diff)
downloadguff-3eb07fcdf2a227009faa11eddf96fe63952533c6.tar.bz2
guff-3eb07fcdf2a227009faa11eddf96fe63952533c6.zip
add origin/referer check
-rw-r--r--src/guff.cr14
1 files changed, 14 insertions, 0 deletions
diff --git a/src/guff.cr b/src/guff.cr
index a2e2da5..f25e1c3 100644
--- a/src/guff.cr
+++ b/src/guff.cr
@@ -596,6 +596,9 @@ module Guff
reply(context.response)
when "POST"
begin
+ # check for valid origin or referer header
+ check_request_headers(context.request.headers)
+
# create session
session_id = @context.session.create({
"user_id": login(context.request.body),
@@ -671,6 +674,17 @@ module Guff
# return user id
user_id
end
+
+ private def check_request_headers(headers : HTTP::Headers)
+ # FIXME: need to compare these against something rather than
+ # just making sure that they are there
+ raise "missing origin and referer headers" unless %w{
+ origin
+ referer
+ }.any? do |key|
+ headers[key]? && headers[key].size > 0
+ end
+ end
end
class LogoutPageHandler < Handler