From 5f7032dfee1fd202c14e76a9f8b37af35d584901 Mon Sep 17 00:00:00 2001 From: Mikael Nordfeldth Date: Mon, 22 Feb 2016 15:19:10 +0100 Subject: [PATCH] Verify that authenticated API calls are made from our domain name. Evil forms on other websites could otherwise potentially be configured to have action="https://gnusocial.example/api/statuses/update.json" or whatever. XHR is already blocked with CORS stuff. Really, why do browsers allow cross domain POSTs at all? Sigh. The web. --- lib/apiauthaction.php | 6 ++++-- lib/util.php | 5 +++++ 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/lib/apiauthaction.php b/lib/apiauthaction.php index 0e81082c35..a3deccd3da 100644 --- a/lib/apiauthaction.php +++ b/lib/apiauthaction.php @@ -85,8 +85,10 @@ class ApiAuthAction extends ApiAction // NOTE: $this->scoped and $this->auth_user has to get set in // prepare(), not handle(), as subclasses use them in prepares. - // Allow regular login session - if (common_logged_in()) { + // Allow regular login session, but we have to double-check the + // HTTP_REFERER value to avoid cross domain POSTing since the API + // doesn't use the "token" form field. + if (common_logged_in() && common_local_referer()) { $this->scoped = Profile::current(); $this->auth_user = $this->scoped->getUser(); if (!$this->auth_user->hasRight(Right::API)) { diff --git a/lib/util.php b/lib/util.php index bef56502a0..c87b0f1bf6 100644 --- a/lib/util.php +++ b/lib/util.php @@ -264,6 +264,11 @@ function common_logged_in() return (!is_null(common_current_user())); } +function common_local_referer() +{ + return parse_url($_SERVER['HTTP_REFERER'], PHP_URL_HOST) === common_config('site', 'server'); +} + function common_have_session() { return (0 != strcmp(session_id(), '')); -- 2.39.5