Verify that authenticated API calls are made from our domain name.

Evil forms on other websites could otherwise potentially be configured
to have action="https://gnusocial.example/api/statuses/update.json" or
whatever. XHR is already blocked with CORS stuff.

Really, why do browsers allow cross domain POSTs at all? Sigh. The web.

diff --git a/lib/apiauthaction.php b/lib/apiauthaction.php
index 0e81082c35ea79a322a3dc26d92f6848074036cc..a3deccd3da0e05aa25808b6ab9296a4790d76a8d 100644 (file)
--- a/lib/apiauthaction.php
+++ b/lib/apiauthaction.php
@@ -85,8 +85,10 @@ class ApiAuthAction extends ApiAction
         // NOTE: $this->scoped and $this->auth_user has to get set in
         // prepare(), not handle(), as subclasses use them in prepares.
 
-        // Allow regular login session
-        if (common_logged_in()) {
+        // Allow regular login session, but we have to double-check the
+        // HTTP_REFERER value to avoid cross domain POSTing since the API
+        // doesn't use the "token" form field.
+        if (common_logged_in() && common_local_referer()) {
             $this->scoped = Profile::current();
             $this->auth_user = $this->scoped->getUser();
             if (!$this->auth_user->hasRight(Right::API)) {

diff --git a/lib/util.php b/lib/util.php
index bef56502a04e4dccb14da69050394e00f10ffee8..c87b0f1bf69d9ca1cfdeef7958992f247b2a25d0 100644 (file)
--- a/lib/util.php
+++ b/lib/util.php
@@ -264,6 +264,11 @@ function common_logged_in()
     return (!is_null(common_current_user()));
 }
 
+function common_local_referer()
+{
+    return parse_url($_SERVER['HTTP_REFERER'], PHP_URL_HOST) === common_config('site', 'server');
+}
+
 function common_have_session()
 {
     return (0 != strcmp(session_id(), ''));