forked from lix-project/hydra
Add XSRF protection for POST requests
Some Hydra API requests were vulnerable to XSRF attacks, e.g. you could have a form on another website using http://hydra/logout as the form action. So we now require POST requests to come from the same origin. Reported by Hans-Christian Esperer.
This commit is contained in:
parent
bbe45ed844
commit
c928c41ee1
|
@ -60,6 +60,15 @@ sub begin :Private {
|
||||||
};
|
};
|
||||||
$_->supportedInputTypes($c->stash->{inputTypes}) foreach @{$c->hydra_plugins};
|
$_->supportedInputTypes($c->stash->{inputTypes}) foreach @{$c->hydra_plugins};
|
||||||
|
|
||||||
|
# XSRF protection: require POST requests to have the same origin.
|
||||||
|
if ($c->req->method eq "POST") {
|
||||||
|
my $referer = $c->req->header('Origin');
|
||||||
|
$referer //= $c->req->header('Referer');
|
||||||
|
my $base = $c->req->base;
|
||||||
|
error($c, "POST requests should come from ‘$base’")
|
||||||
|
unless defined $referer && $referer eq $base;
|
||||||
|
}
|
||||||
|
|
||||||
$c->forward('deserialize');
|
$c->forward('deserialize');
|
||||||
|
|
||||||
$c->stash->{params} = $c->request->data or $c->request->params;
|
$c->stash->{params} = $c->request->data or $c->request->params;
|
||||||
|
|
Loading…
Reference in a new issue