From: Frank Karlitschek <karlitschek@kde.org>
Date: Thu, 26 Apr 2012 23:18:21 +0000 (+0200)
Subject: some csrf fixes. needs testing
X-Git-Tag: v4.0.0beta~173
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=ee0cb68f5ed91f30b5ab4c43d13433197b4fcb24;p=nextcloud-server.git

some csrf fixes. needs testing
---

diff --git a/lib/base.php b/lib/base.php
index 5c42000b9e1..a30f4e38c78 100644
--- a/lib/base.php
+++ b/lib/base.php
@@ -325,6 +325,16 @@ class OC{
 		self::checkInstalled();
 		self::checkSSL();
 
+                // CSRF protection
+                if(isset($_SERVER['HTTP_REFERER'])) $referer=$_SERVER['HTTP_REFERER']; else $referer='';
+                if(isset($_SERVER['HTTPS']) and $_SERVER['HTTPS']<>'') $protocol='https://'; else $protocol='http://';
+                $server=$protocol.$_SERVER['SERVER_NAME'];
+                if(($_SERVER['REQUEST_METHOD']=='POST') and (substr($referer,0,strlen($server))<>$server)) {
+                        $url = $protocol.$_SERVER['SERVER_NAME'].OC::$WEBROOT.'/index.php';
+                        header("Location: $url");
+                        exit();
+                } 
+
 		self::initSession();
 		self::initTemplateEngine();
 		self::checkUpgrade();