Skip to content

GitLab

Commit 0bc19df6 authored by Matt Bell's avatar Matt Bell
Browse files
Options

commands/http: Made command HTTP API only accept requests from referers on the same server

parent ae5259f0
Show whitespace changes
Inline Side-by-side
Showing with 15 additions and 0 deletions
http/handler.go
View file @ 0bc19df6
...@@ -6,6 +6,7 @@ import ( ...@@ -6,6 +6,7 @@ import (
"io" "io"
"net/http" "net/http"
"strconv" "strconv"
"strings"
context "github.com/jbenet/go-ipfs/Godeps/_workspace/src/code.google.com/p/go.net/context" context "github.com/jbenet/go-ipfs/Godeps/_workspace/src/code.google.com/p/go.net/context"
...@@ -55,6 +56,20 @@ func (i Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) { ...@@ -55,6 +56,20 @@ func (i Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
log.Debug("Incoming API request: ", r.URL) log.Debug("Incoming API request: ", r.URL)
// error on external referers (to prevent CSRF attacks)
referer := r.Referer()
scheme := r.URL.Scheme
if len(scheme) == 0 {
scheme = "http"
}
host := fmt.Sprintf("%s://%s/", scheme, r.Host)
// empty string means the user isn't following a link (they are directly typing in the url)
if referer != "" && !strings.HasPrefix(referer, host) {
w.WriteHeader(http.StatusForbidden)
w.Write([]byte("403 - Forbidden"))
return
}
if len(i.origin) > 0 { if len(i.origin) > 0 {
w.Header().Set("Access-Control-Allow-Origin", i.origin) w.Header().Set("Access-Control-Allow-Origin", i.origin)
} }
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment