This commit is contained in:
andreimarcu 2015-10-14 22:47:36 -04:00
parent 3c659601e2
commit 9847beeff5
2 changed files with 2 additions and 12 deletions

View File

@ -8,7 +8,7 @@ import (
// Do a strict referrer check, matching against both the Origin header (if // Do a strict referrer check, matching against both the Origin header (if
// present) and the Referrer header. If a list of headers is specified, then // present) and the Referrer header. If a list of headers is specified, then
// Referrer checking will be skipped if any of those headers are present. // Referrer checking will be skipped if any of those headers are present.
func strictReferrerCheck(r *http.Request, prefix string, whitelistHeaders []string, allowBlank bool) bool { func strictReferrerCheck(r *http.Request, prefix string, whitelistHeaders []string) bool {
p, _ := url.Parse(prefix) p, _ := url.Parse(prefix)
// if there's an Origin header, check it and skip other checks // if there's an Origin header, check it and skip other checks
@ -25,10 +25,6 @@ func strictReferrerCheck(r *http.Request, prefix string, whitelistHeaders []stri
referrer := r.Header.Get("Referer") referrer := r.Header.Get("Referer")
if allowBlank && referrer == "" {
return true
}
u, _ := url.Parse(referrer) u, _ := url.Parse(referrer)
return sameOrigin(u, p) return sameOrigin(u, p)
} }

View File

@ -46,7 +46,7 @@ type Upload struct {
} }
func uploadPostHandler(c web.C, w http.ResponseWriter, r *http.Request) { func uploadPostHandler(c web.C, w http.ResponseWriter, r *http.Request) {
if !strictReferrerCheck(r, Config.siteURL, []string{"Linx-Delete-Key", "Linx-Expiry", "Linx-Randomize", "X-Requested-With"}, false) { if !strictReferrerCheck(r, Config.siteURL, []string{"Linx-Delete-Key", "Linx-Expiry", "Linx-Randomize", "X-Requested-With"}) {
badRequestHandler(c, w, r) badRequestHandler(c, w, r)
return return
} }
@ -144,12 +144,6 @@ func uploadRemote(c web.C, w http.ResponseWriter, r *http.Request) {
unauthorizedHandler(c, w, r) unauthorizedHandler(c, w, r)
return return
} }
} else {
// strict referrer checking is mandatory without remote auth keys
if !strictReferrerCheck(r, Config.siteURL, []string{"Linx-Delete-Key", "Linx-Expiry", "Linx-Randomize", "X-Requested-With"}, true) {
badRequestHandler(c, w, r)
return
}
} }
if r.FormValue("url") == "" { if r.FormValue("url") == "" {