Evil forms on other websites could otherwise potentially be configured
to have action="https://gnusocial.example/api/statuses/update.json" or
whatever. XHR is already blocked with CORS stuff.
Really, why do browsers allow cross domain POSTs at all? Sigh. The web.
// NOTE: $this->scoped and $this->auth_user has to get set in
// prepare(), not handle(), as subclasses use them in prepares.
// NOTE: $this->scoped and $this->auth_user has to get set in
// prepare(), not handle(), as subclasses use them in prepares.
- // Allow regular login session
- if (common_logged_in()) {
+ // Allow regular login session, but we have to double-check the
+ // HTTP_REFERER value to avoid cross domain POSTing since the API
+ // doesn't use the "token" form field.
+ if (common_logged_in() && common_local_referer()) {
$this->scoped = Profile::current();
$this->auth_user = $this->scoped->getUser();
if (!$this->auth_user->hasRight(Right::API)) {
$this->scoped = Profile::current();
$this->auth_user = $this->scoped->getUser();
if (!$this->auth_user->hasRight(Right::API)) {
return (!is_null(common_current_user()));
}
return (!is_null(common_current_user()));
}
+function common_local_referer()
+{
+ return parse_url($_SERVER['HTTP_REFERER'], PHP_URL_HOST) === common_config('site', 'server');
+}
+
function common_have_session()
{
return (0 != strcmp(session_id(), ''));
function common_have_session()
{
return (0 != strcmp(session_id(), ''));