diff options
| author | Frank Karlitschek <karlitschek@kde.org> | 2012-04-27 01:18:21 +0200 |
|---|---|---|
| committer | Frank Karlitschek <karlitschek@kde.org> | 2012-04-27 01:18:21 +0200 |
| commit | ee0cb68f5ed91f30b5ab4c43d13433197b4fcb24 (patch) | |
| tree | bc708ac11a3c17d5622cd0622e036bbe159cfce0 /lib/base.php | |
| parent | 74b5e22a684c3095dbd48b56da1a10d955c20305 (diff) | |
| download | nextcloud-server-ee0cb68f5ed91f30b5ab4c43d13433197b4fcb24.tar.gz nextcloud-server-ee0cb68f5ed91f30b5ab4c43d13433197b4fcb24.zip | |
some csrf fixes. needs testing
Diffstat (limited to 'lib/base.php')
| -rw-r--r-- | lib/base.php | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/lib/base.php b/lib/base.php index 5c42000b9e1..a30f4e38c78 100644 --- a/lib/base.php +++ b/lib/base.php @@ -325,6 +325,16 @@ class OC{ self::checkInstalled(); self::checkSSL(); + // CSRF protection + if(isset($_SERVER['HTTP_REFERER'])) $referer=$_SERVER['HTTP_REFERER']; else $referer=''; + if(isset($_SERVER['HTTPS']) and $_SERVER['HTTPS']<>'') $protocol='https://'; else $protocol='http://'; + $server=$protocol.$_SERVER['SERVER_NAME']; + if(($_SERVER['REQUEST_METHOD']=='POST') and (substr($referer,0,strlen($server))<>$server)) { + $url = $protocol.$_SERVER['SERVER_NAME'].OC::$WEBROOT.'/index.php'; + header("Location: $url"); + exit(); + } + self::initSession(); self::initTemplateEngine(); self::checkUpgrade(); |