From 4b5bffbd8310830f7d43f579461acb930d54fe37 Mon Sep 17 00:00:00 2001
From: Massimo Melina <a@rejetto.com>
Date: Mon, 29 Jun 2020 00:02:20 +0200
Subject: [PATCH] fix: possible CSRF

---
 main.pas | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/main.pas b/main.pas
index 646cf39..d98a6aa 100644
--- a/main.pas
+++ b/main.pas
@@ -1,4 +1,4 @@
-{
+{
 Copyright (C) 2002-2020  Massimo Melina (www.rejetto.com)
 
 This file is part of HFS ~ HTTP File Server.
@@ -5015,6 +5015,13 @@ var
       addString(getTill('#', data.postvars.valueFromIndex[i]), result) // omit #anchors
   end; // getFilesSelection
 
+  function possibleCSRF():boolean;
+  var s: string;
+  begin
+  s:= conn.getHeader('origin');
+  result:=(s > '') and not s.endsWith( conn.getHeader('Host'))
+  end; // possibleCSRF
+
   procedure serveTar();
   var
     tar: TtarStream;
@@ -5242,7 +5249,9 @@ var
     begin
     if (conn.request.method <> HM_POST)
     or (data.postVars.values['action'] <> 'delete')
-    or not accountAllowed(FA_DELETE, data, f) then exit;
+    or not accountAllowed(FA_DELETE, data, f)
+    or possibleCSRF()
+    then exit;
 
     doneRes:=NIL;
     errors:=NIL;