diff options
author | Paul Duncan <pabs@pablotron.org> | 2016-05-21 13:35:31 -0400 |
---|---|---|
committer | Paul Duncan <pabs@pablotron.org> | 2016-05-21 13:35:31 -0400 |
commit | 3eb07fcdf2a227009faa11eddf96fe63952533c6 (patch) | |
tree | 463005a5e84b5dcefa3231a5199574363919ea3b /src | |
parent | b49749b64c9c82546150f89de5ec41259fccebdc (diff) | |
download | guff-3eb07fcdf2a227009faa11eddf96fe63952533c6.tar.bz2 guff-3eb07fcdf2a227009faa11eddf96fe63952533c6.zip |
add origin/referer check
Diffstat (limited to 'src')
-rw-r--r-- | src/guff.cr | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/src/guff.cr b/src/guff.cr index a2e2da5..f25e1c3 100644 --- a/src/guff.cr +++ b/src/guff.cr @@ -596,6 +596,9 @@ module Guff reply(context.response) when "POST" begin + # check for valid origin or referer header + check_request_headers(context.request.headers) + # create session session_id = @context.session.create({ "user_id": login(context.request.body), @@ -671,6 +674,17 @@ module Guff # return user id user_id end + + private def check_request_headers(headers : HTTP::Headers) + # FIXME: need to compare these against something rather than + # just making sure that they are there + raise "missing origin and referer headers" unless %w{ + origin + referer + }.any? do |key| + headers[key]? && headers[key].size > 0 + end + end end class LogoutPageHandler < Handler |