diff options
| author | Omar Roth <omarroth@hotmail.com> | 2018-09-05 20:32:01 -0500 |
|---|---|---|
| committer | Omar Roth <omarroth@hotmail.com> | 2018-09-05 20:32:01 -0500 |
| commit | a749ac73acb19ec2e3897006183a4bb1f63ef99a (patch) | |
| tree | bdf2bf70789a4b06d6cd1a5c0cc939a17e633493 | |
| parent | 62f023c50f00168cafcdc835bdc3084d8009eb9a (diff) | |
| download | invidious-a749ac73acb19ec2e3897006183a4bb1f63ef99a.tar.gz invidious-a749ac73acb19ec2e3897006183a4bb1f63ef99a.tar.bz2 invidious-a749ac73acb19ec2e3897006183a4bb1f63ef99a.zip | |
Add header check for CSRF
| -rw-r--r-- | src/invidious.cr | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/src/invidious.cr b/src/invidious.cr index 22643016..f38a1343 100644 --- a/src/invidious.cr +++ b/src/invidious.cr @@ -106,6 +106,18 @@ spawn do end before_all do |env| + # CSRF + if Kemal.config.ssl || CONFIG.https_only + host = env.request.headers["Host"]? + + if (env.request.headers["Origin"]?.try &.== host) || + (env.request.headers["Referer"]?.try &.== host) + # All good! + else + halt env, status_code: 403, response: "Failed CSRF check" + end + end + if env.request.cookies.has_key? "SID" headers = HTTP::Headers.new headers["Cookie"] = env.request.headers["Cookie"] |