some csrf fixes. needs testing

This commit is contained in:
Frank Karlitschek 2012-04-27 01:18:21 +02:00
parent 74b5e22a68
commit ee0cb68f5e
1 changed files with 10 additions and 0 deletions

View File

@ -325,6 +325,16 @@ class OC{
self::checkInstalled(); self::checkInstalled();
self::checkSSL(); self::checkSSL();
// CSRF protection
if(isset($_SERVER['HTTP_REFERER'])) $referer=$_SERVER['HTTP_REFERER']; else $referer='';
if(isset($_SERVER['HTTPS']) and $_SERVER['HTTPS']<>'') $protocol='https://'; else $protocol='http://';
$server=$protocol.$_SERVER['SERVER_NAME'];
if(($_SERVER['REQUEST_METHOD']=='POST') and (substr($referer,0,strlen($server))<>$server)) {
$url = $protocol.$_SERVER['SERVER_NAME'].OC::$WEBROOT.'/index.php';
header("Location: $url");
exit();
}
self::initSession(); self::initSession();
self::initTemplateEngine(); self::initTemplateEngine();
self::checkUpgrade(); self::checkUpgrade();