Commit 5f7032df authored by mmn's avatar mmn

Verify that authenticated API calls are made from our domain name.

Evil forms on other websites could otherwise potentially be configured
to have action="https://gnusocial.example/api/statuses/update.json" or
whatever. XHR is already blocked with CORS stuff.

Really, why do browsers allow cross domain POSTs at all? Sigh. The web.
parent c67b89e5
......@@ -85,8 +85,10 @@ class ApiAuthAction extends ApiAction
// NOTE: $this->scoped and $this->auth_user has to get set in
// prepare(), not handle(), as subclasses use them in prepares.
// Allow regular login session
if (common_logged_in()) {
// Allow regular login session, but we have to double-check the
// HTTP_REFERER value to avoid cross domain POSTing since the API
// doesn't use the "token" form field.
if (common_logged_in() && common_local_referer()) {
$this->scoped = Profile::current();
$this->auth_user = $this->scoped->getUser();
if (!$this->auth_user->hasRight(Right::API)) {
......
......@@ -264,6 +264,11 @@ function common_logged_in()
return (!is_null(common_current_user()));
}
function common_local_referer()
{
return parse_url($_SERVER['HTTP_REFERER'], PHP_URL_HOST) === common_config('site', 'server');
}
function common_have_session()
{
return (0 != strcmp(session_id(), ''));
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment