aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorPaul Duncan <pabs@pablotron.org>2016-05-21 14:02:52 -0400
committerPaul Duncan <pabs@pablotron.org>2016-05-21 14:02:52 -0400
commit000a5915a143f52aa46f8838947e08b6b96e6bff (patch)
tree2846af468a7ede7ccd2ad77266a4997e5cf994eb /src
parent1640651d01fe5443f3a9c807303014f1cbb2ce43 (diff)
downloadguff-000a5915a143f52aa46f8838947e08b6b96e6bff.tar.bz2
guff-000a5915a143f52aa46f8838947e08b6b96e6bff.zip
refactor origin check
Diffstat (limited to 'src')
-rw-r--r--src/guff.cr29
1 files changed, 15 insertions, 14 deletions
diff --git a/src/guff.cr b/src/guff.cr
index e123eff..2702d7e 100644
--- a/src/guff.cr
+++ b/src/guff.cr
@@ -452,6 +452,14 @@ module Guff
def initialize(@context : Context)
super()
end
+
+ protected def valid_origin_headers?(headers : HTTP::Headers)
+ # FIXME: need to compare these against something rather than
+ # just making sure that they are there
+ %w{origin referer}.any? do |key|
+ headers[key]? && headers[key].size > 0
+ end
+ end
end
abstract class AuthenticatedHandler < Handler
@@ -506,7 +514,8 @@ module Guff
def call(context : HTTP::Server::Context)
req_path = context.request.path.not_nil!
- if matching_request?(context.request.method, req_path)
+ if matching_request?(context.request.method, req_path) &&
+ valid_origin_headers?(context.request.headers)
# get expanded path to file
if abs_path = expand_path(req_path)
# get file digest
@@ -601,7 +610,9 @@ module Guff
when "POST"
begin
# check for valid origin or referer header
- check_request_headers(context.request.headers)
+ unless valid_origin_headers?(context.request.headers)
+ raise "missing origin and referer headers"
+ end
# create session
session_id = @context.session.create({
@@ -678,17 +689,6 @@ module Guff
# return user id
user_id
end
-
- private def check_request_headers(headers : HTTP::Headers)
- # FIXME: need to compare these against something rather than
- # just making sure that they are there
- raise "missing origin and referer headers" unless %w{
- origin
- referer
- }.any? do |key|
- headers[key]? && headers[key].size > 0
- end
- end
end
class LogoutPageHandler < Handler
@@ -696,7 +696,8 @@ module Guff
def call(context : HTTP::Server::Context)
if context.request.method == "GET" &&
- PATH_RE.match(context.request.path.not_nil!)
+ PATH_RE.match(context.request.path.not_nil!) &&
+ valid_origin_headers?(context.request.headers)
# delete session
@context.session.delete