From ee0cb68f5ed91f30b5ab4c43d13433197b4fcb24 Mon Sep 17 00:00:00 2001
From: Frank Karlitschek <karlitschek@kde.org>
Date: Fri, 27 Apr 2012 01:18:21 +0200
Subject: [PATCH] some csrf fixes. needs testing

---
 lib/base.php | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/lib/base.php b/lib/base.php
index 5c42000b9e1..a30f4e38c78 100644
--- a/lib/base.php
+++ b/lib/base.php
@@ -325,6 +325,16 @@ class OC{
 		self::checkInstalled();
 		self::checkSSL();
 
+                // CSRF protection
+                if(isset($_SERVER['HTTP_REFERER'])) $referer=$_SERVER['HTTP_REFERER']; else $referer='';
+                if(isset($_SERVER['HTTPS']) and $_SERVER['HTTPS']<>'') $protocol='https://'; else $protocol='http://';
+                $server=$protocol.$_SERVER['SERVER_NAME'];
+                if(($_SERVER['REQUEST_METHOD']=='POST') and (substr($referer,0,strlen($server))<>$server)) {
+                        $url = $protocol.$_SERVER['SERVER_NAME'].OC::$WEBROOT.'/index.php';
+                        header("Location: $url");
+                        exit();
+                } 
+
 		self::initSession();
 		self::initTemplateEngine();
 		self::checkUpgrade();
-- 
2.39.5