fix CSRF checking so that localhost always works
This commit is contained in:
parent
f7b4fd644b
commit
98e0c3e89c
@ -2,23 +2,38 @@ package http
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"net"
|
||||
"net/http"
|
||||
"net/url"
|
||||
|
||||
"github.com/mediocregopher/blog.mediocregopher.com/srv/http/apiutil"
|
||||
)
|
||||
|
||||
func checkCSRF(r *http.Request, publicURL *url.URL) error {
|
||||
|
||||
if ipStr, _, err := net.SplitHostPort(r.Host); err == nil {
|
||||
if ip := net.ParseIP(ipStr); ip != nil && ip.IsLoopback() {
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
refererURL, err := url.Parse(r.Referer())
|
||||
if err != nil {
|
||||
return errors.New("invalid Referer")
|
||||
}
|
||||
|
||||
if refererURL.Scheme != publicURL.Scheme ||
|
||||
refererURL.Host != publicURL.Host {
|
||||
return errors.New("invalid Referer")
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func (a *api) checkCSRFMiddleware(h http.Handler) http.Handler {
|
||||
return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
|
||||
|
||||
refererURL, err := url.Parse(r.Referer())
|
||||
if err != nil {
|
||||
apiutil.BadRequest(rw, r, errors.New("invalid Referer"))
|
||||
return
|
||||
}
|
||||
|
||||
if refererURL.Scheme != a.params.PublicURL.Scheme ||
|
||||
refererURL.Host != a.params.PublicURL.Host {
|
||||
if err := checkCSRF(r, a.params.PublicURL); err != nil {
|
||||
apiutil.BadRequest(rw, r, errors.New("invalid Referer"))
|
||||
return
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user