From 9847beeff5c1bba4a15fe4254b63670aeb62a2c1 Mon Sep 17 00:00:00 2001 From: andreimarcu Date: Wed, 14 Oct 2015 22:47:36 -0400 Subject: [PATCH] Cleanup --- csrf.go | 6 +----- upload.go | 8 +------- 2 files changed, 2 insertions(+), 12 deletions(-) diff --git a/csrf.go b/csrf.go index 509d95c..d32f860 100644 --- a/csrf.go +++ b/csrf.go @@ -8,7 +8,7 @@ import ( // Do a strict referrer check, matching against both the Origin header (if // present) and the Referrer header. If a list of headers is specified, then // Referrer checking will be skipped if any of those headers are present. -func strictReferrerCheck(r *http.Request, prefix string, whitelistHeaders []string, allowBlank bool) bool { +func strictReferrerCheck(r *http.Request, prefix string, whitelistHeaders []string) bool { p, _ := url.Parse(prefix) // if there's an Origin header, check it and skip other checks @@ -25,10 +25,6 @@ func strictReferrerCheck(r *http.Request, prefix string, whitelistHeaders []stri referrer := r.Header.Get("Referer") - if allowBlank && referrer == "" { - return true - } - u, _ := url.Parse(referrer) return sameOrigin(u, p) } diff --git a/upload.go b/upload.go index 319be6b..0c050c6 100644 --- a/upload.go +++ b/upload.go @@ -46,7 +46,7 @@ type Upload struct { } func uploadPostHandler(c web.C, w http.ResponseWriter, r *http.Request) { - if !strictReferrerCheck(r, Config.siteURL, []string{"Linx-Delete-Key", "Linx-Expiry", "Linx-Randomize", "X-Requested-With"}, false) { + if !strictReferrerCheck(r, Config.siteURL, []string{"Linx-Delete-Key", "Linx-Expiry", "Linx-Randomize", "X-Requested-With"}) { badRequestHandler(c, w, r) return } @@ -144,12 +144,6 @@ func uploadRemote(c web.C, w http.ResponseWriter, r *http.Request) { unauthorizedHandler(c, w, r) return } - } else { - // strict referrer checking is mandatory without remote auth keys - if !strictReferrerCheck(r, Config.siteURL, []string{"Linx-Delete-Key", "Linx-Expiry", "Linx-Randomize", "X-Requested-With"}, true) { - badRequestHandler(c, w, r) - return - } } if r.FormValue("url") == "" {