From 3eb07fcdf2a227009faa11eddf96fe63952533c6 Mon Sep 17 00:00:00 2001
From: Paul Duncan <pabs@pablotron.org>
Date: Sat, 21 May 2016 13:35:31 -0400
Subject: add origin/referer check

---
 src/guff.cr | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

(limited to 'src/guff.cr')

diff --git a/src/guff.cr b/src/guff.cr
index a2e2da5..f25e1c3 100644
--- a/src/guff.cr
+++ b/src/guff.cr
@@ -596,6 +596,9 @@ module Guff
             reply(context.response)
           when "POST"
             begin
+              # check for valid origin or referer header
+              check_request_headers(context.request.headers)
+
               # create session
               session_id = @context.session.create({
                 "user_id": login(context.request.body),
@@ -671,6 +674,17 @@ module Guff
         # return user id
         user_id
       end
+
+      private def check_request_headers(headers : HTTP::Headers)
+        # FIXME: need to compare these against something rather than
+        # just making sure that they are there
+        raise "missing origin and referer headers" unless %w{
+          origin
+          referer
+        }.any? do |key|
+          headers[key]? && headers[key].size > 0
+        end
+      end
     end
 
     class LogoutPageHandler < Handler
-- 
cgit v1.2.3