Added http_referer check for logged in users

Signed-off-by: Janos SUTO <sj@acts.hu>
2024-11-07 23:41:59 +01:00 · 2018-10-06 15:53:45 +00:00 · 2018-10-06 15:53:45 +00:00 · ef458a08f9
commit ef458a08f9
parent 59c9a80964
1 changed files with 4 additions and 0 deletions
--- a/webui/index.php
+++ b/webui/index.php
@ -74,6 +74,10 @@ else if($session->get("four_eyes") == 1 && $request->get['route'] != 'login/logo
 }
 else if(Registry::get('username')) {

+   // Check the Referer header which must be present after we are authenticated
+   if(!isset($_SERVER['HTTP_REFERER'])) die("missing HTTP_REFERER");
+   if(strpos($_SERVER['HTTP_REFERER'], SITE_URL) === false) die("invalid HTTP_REFERER");
+
   if(isset($request->get['route'])){
      $action = new Router($request->get['route']);
   }