vikarti.anatra/safing-portbase
1
0
Fork 0
mirror of https://github.com/safing/portbase synced 2025-09-01 18:19:57 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge pull request #152 from safing/fix/csrf-protection

Browse source 
Fix CSRF Protection
This commit is contained in:
Daniel 2022-01-20 09:46:41 +01:00 committed by GitHub
commit 7d2cd6c15d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 5 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
api/router.go
View file

@ -113,16 +113,16 @@ func (mh *mainHandler) handle(w http.ResponseWriter, r *http.Request) error {
// Parse origin URL.
originURL, err := url.Parse(origin)
if err != nil {
tracer.Warningf("api: denied request from %s: failed to parse origin header: %s", r.RemoteAddr, err)
http.Error(lrw, "Invalid Origin.", http.StatusForbidden)
return nil
}
// Check if the Origin matches the Host.
host := r.Header.Get("Host")
switch {
case originURL.Host == host:
case originURL.Host == r.Host:
// Origin (with port) matches Host.
case originURL.Hostname() == host:
case originURL.Hostname() == r.Host:
// Origin (without port) matches Host.
case devMode() &&
utils.StringInSlice(allowedDevCORSOrigins, originURL.Hostname()):
@ -130,6 +130,7 @@ func (mh *mainHandler) handle(w http.ResponseWriter, r *http.Request) error {
// development origins.
default:
// Origin and Host do NOT match!
tracer.Warningf("api: denied request from %s: Origin (`%s`) and Host (`%s`) do not match", r.RemoteAddr, origin, r.Host)
http.Error(lrw, "Cross-Origin Request Denied.", http.StatusForbidden)
return nil

2
run/main.go
View file

@ -47,7 +47,7 @@ func Run() int {
// Shutdown
// catch interrupt for clean shutdown
signalCh := make(chan os.Signal)
signalCh := make(chan os.Signal, 1)
if enableInputSignals {
go inputSignals(signalCh)
}