From c928c41ee1f15776df85551c8df918643e5717bd Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Thu, 20 Oct 2016 16:11:33 +0200 Subject: [PATCH] Add XSRF protection for POST requests Some Hydra API requests were vulnerable to XSRF attacks, e.g. you could have a form on another website using http://hydra/logout as the form action. So we now require POST requests to come from the same origin. Reported by Hans-Christian Esperer. --- src/lib/Hydra/Controller/Root.pm | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/lib/Hydra/Controller/Root.pm b/src/lib/Hydra/Controller/Root.pm index 1d03bb38..6353abf1 100644 --- a/src/lib/Hydra/Controller/Root.pm +++ b/src/lib/Hydra/Controller/Root.pm @@ -60,6 +60,15 @@ sub begin :Private { }; $_->supportedInputTypes($c->stash->{inputTypes}) foreach @{$c->hydra_plugins}; + # XSRF protection: require POST requests to have the same origin. + if ($c->req->method eq "POST") { + my $referer = $c->req->header('Origin'); + $referer //= $c->req->header('Referer'); + my $base = $c->req->base; + error($c, "POST requests should come from ‘$base’") + unless defined $referer && $referer eq $base; + } + $c->forward('deserialize'); $c->stash->{params} = $c->request->data or $c->request->params;