diff options
| -rw-r--r-- | src/guff.cr | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/src/guff.cr b/src/guff.cr index a2e2da5..f25e1c3 100644 --- a/src/guff.cr +++ b/src/guff.cr @@ -596,6 +596,9 @@ module Guff reply(context.response) when "POST" begin + # check for valid origin or referer header + check_request_headers(context.request.headers) + # create session session_id = @context.session.create({ "user_id": login(context.request.body), @@ -671,6 +674,17 @@ module Guff # return user id user_id end + + private def check_request_headers(headers : HTTP::Headers) + # FIXME: need to compare these against something rather than + # just making sure that they are there + raise "missing origin and referer headers" unless %w{ + origin + referer + }.any? do |key| + headers[key]? && headers[key].size > 0 + end + end end class LogoutPageHandler < Handler |