coosld/kubo
1
0
Fork 0
mirror of https://github.com/ipfs/kubo.git synced 2026-02-21 18:37:45 +08:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

commands/http: Made command HTTP API only accept requests from referers on the same server

Browse Source
This commit is contained in:
Matt Bell 2015-02-02 20:16:17 -08:00
parent b1ca07d6c5
commit e8bbf1dcdf
1 changed files with 15 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
commands/http/handler.go
View File

@ -6,6 +6,7 @@ import (
"io"
"net/http"
"strconv"
"strings"
context "github.com/jbenet/go-ipfs/Godeps/_workspace/src/code.google.com/p/go.net/context"
@ -55,6 +56,20 @@ func (i Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
log.Debug("Incoming API request: ", r.URL)
// error on external referers (to prevent CSRF attacks)
referer := r.Referer()
scheme := r.URL.Scheme
if len(scheme) == 0 {
scheme = "http"
}
host := fmt.Sprintf("%s://%s/", scheme, r.Host)
// empty string means the user isn't following a link (they are directly typing in the url)
if referer != "" && !strings.HasPrefix(referer, host) {
w.WriteHeader(http.StatusForbidden)
w.Write([]byte("403 - Forbidden"))
return
}
if len(i.origin) > 0 {
w.Header().Set("Access-Control-Allow-Origin", i.origin)
}