MBonaldo/hfs2
1
0
Fork 0
mirror of https://github.com/rejetto/hfs2.git synced 2025-12-19 10:03:56 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: possible CSRF

Browse Source
This commit is contained in:
Massimo Melina 2020-06-29 00:02:20 +02:00
parent cf3761b7ed
commit 4b5bffbd83
1 changed files with 11 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
main.pas
View File

@ -1,4 +1,4 @@
{ {
Copyright (C) 2002-2020 Massimo Melina (www.rejetto.com) Copyright (C) 2002-2020 Massimo Melina (www.rejetto.com)
This file is part of HFS ~ HTTP File Server. This file is part of HFS ~ HTTP File Server.
@ -5015,6 +5015,13 @@ var
addString(getTill('#', data.postvars.valueFromIndex[i]), result) // omit #anchors addString(getTill('#', data.postvars.valueFromIndex[i]), result) // omit #anchors
end; // getFilesSelection end; // getFilesSelection
function possibleCSRF():boolean;
var s: string;
begin
s:= conn.getHeader('origin');
result:=(s > '') and not s.endsWith( conn.getHeader('Host'))
end; // possibleCSRF
procedure serveTar(); procedure serveTar();
var var
tar: TtarStream; tar: TtarStream;
@ -5242,7 +5249,9 @@ var
begin begin
if (conn.request.method <> HM_POST) if (conn.request.method <> HM_POST)
or (data.postVars.values['action'] <> 'delete') or (data.postVars.values['action'] <> 'delete')
or not accountAllowed(FA_DELETE, data, f) then exit; or not accountAllowed(FA_DELETE, data, f)
or possibleCSRF()
then exit;
doneRes:=NIL; doneRes:=NIL;
errors:=NIL; errors:=NIL;