some csrf fixes. needs testing

author Frank Karlitschek <karlitschek@kde.org>

Thu, 26 Apr 2012 23:18:21 +0000 (01:18 +0200)

committer Frank Karlitschek <karlitschek@kde.org>

Thu, 26 Apr 2012 23:18:21 +0000 (01:18 +0200)
author Frank Karlitschek <karlitschek@kde.org>
Thu, 26 Apr 2012 23:18:21 +0000 (01:18 +0200)
committer Frank Karlitschek <karlitschek@kde.org>
Thu, 26 Apr 2012 23:18:21 +0000 (01:18 +0200)
diff --git a/lib/base.php b/lib/base.php

index 5c42000b9e10476e32b877f7ec570e6981e0dd66..a30f4e38c7802bb34be5bab05da8724d487fbaf9 100644 (file)
--- a/lib/base.php
+++ b/lib/base.php
@@ -325,6 +325,16 @@ class OC{
                 self::checkInstalled();
                 self::checkSSL();
  
+                // CSRF protection
+                if(isset($_SERVER['HTTP_REFERER'])) $referer=$_SERVER['HTTP_REFERER']; else $referer='';
+                if(isset($_SERVER['HTTPS']) and $_SERVER['HTTPS']<>'') $protocol='https://'; else $protocol='http://';
+                $server=$protocol.$_SERVER['SERVER_NAME'];
+                if(($_SERVER['REQUEST_METHOD']=='POST') and (substr($referer,0,strlen($server))<>$server)) {
+                        $url = $protocol.$_SERVER['SERVER_NAME'].OC::$WEBROOT.'/index.php';
+                        header("Location: $url");
+                        exit();
+                } 
+
                 self::initSession();
                 self::initTemplateEngine();
                 self::checkUpgrade();
author	Frank Karlitschek <karlitschek@kde.org>
	Thu, 26 Apr 2012 23:18:21 +0000 (01:18 +0200)
committer	Frank Karlitschek <karlitschek@kde.org>
	Thu, 26 Apr 2012 23:18:21 +0000 (01:18 +0200)