From 000a5915a143f52aa46f8838947e08b6b96e6bff Mon Sep 17 00:00:00 2001 From: Paul Duncan Date: Sat, 21 May 2016 14:02:52 -0400 Subject: refactor origin check --- src/guff.cr | 29 +++++++++++++++-------------- 1 file changed, 15 insertions(+), 14 deletions(-) diff --git a/src/guff.cr b/src/guff.cr index e123eff..2702d7e 100644 --- a/src/guff.cr +++ b/src/guff.cr @@ -452,6 +452,14 @@ module Guff def initialize(@context : Context) super() end + + protected def valid_origin_headers?(headers : HTTP::Headers) + # FIXME: need to compare these against something rather than + # just making sure that they are there + %w{origin referer}.any? do |key| + headers[key]? && headers[key].size > 0 + end + end end abstract class AuthenticatedHandler < Handler @@ -506,7 +514,8 @@ module Guff def call(context : HTTP::Server::Context) req_path = context.request.path.not_nil! - if matching_request?(context.request.method, req_path) + if matching_request?(context.request.method, req_path) && + valid_origin_headers?(context.request.headers) # get expanded path to file if abs_path = expand_path(req_path) # get file digest @@ -601,7 +610,9 @@ module Guff when "POST" begin # check for valid origin or referer header - check_request_headers(context.request.headers) + unless valid_origin_headers?(context.request.headers) + raise "missing origin and referer headers" + end # create session session_id = @context.session.create({ @@ -678,17 +689,6 @@ module Guff # return user id user_id end - - private def check_request_headers(headers : HTTP::Headers) - # FIXME: need to compare these against something rather than - # just making sure that they are there - raise "missing origin and referer headers" unless %w{ - origin - referer - }.any? do |key| - headers[key]? && headers[key].size > 0 - end - end end class LogoutPageHandler < Handler @@ -696,7 +696,8 @@ module Guff def call(context : HTTP::Server::Context) if context.request.method == "GET" && - PATH_RE.match(context.request.path.not_nil!) + PATH_RE.match(context.request.path.not_nil!) && + valid_origin_headers?(context.request.headers) # delete session @context.session.delete -- cgit v1.2.3