Add XSRF protection for POST requests

Some Hydra API requests were vulnerable to XSRF attacks, e.g. you
could have a form on another website using http://hydra/logout as the
form action. So we now require POST requests to come from the same
origin.

Reported by Hans-Christian Esperer.
This commit is contained in:
Eelco Dolstra 2016-10-20 16:11:33 +02:00
parent bbe45ed844
commit c928c41ee1

View file

@ -60,6 +60,15 @@ sub begin :Private {
}; };
$_->supportedInputTypes($c->stash->{inputTypes}) foreach @{$c->hydra_plugins}; $_->supportedInputTypes($c->stash->{inputTypes}) foreach @{$c->hydra_plugins};
# XSRF protection: require POST requests to have the same origin.
if ($c->req->method eq "POST") {
my $referer = $c->req->header('Origin');
$referer //= $c->req->header('Referer');
my $base = $c->req->base;
error($c, "POST requests should come from $base")
unless defined $referer && $referer eq $base;
}
$c->forward('deserialize'); $c->forward('deserialize');
$c->stash->{params} = $c->request->data or $c->request->params; $c->stash->{params} = $c->request->data or $c->request->params;