grahamc/hydra - Change 2P35LNRY3ZWGLARBNWLQEW2QPS3CTK4Z677ZZYFX4GLVNLUONYBAC

Add XSRF protection for POST requests

Some Hydra API requests were vulnerable to XSRF attacks, e.g. you could have a form on another website using http://hydra/logout as the form action. So we now require POST requests to come from the same origin.

Reported by Hans-Christian Esperer.

Created by Eelco Dolstra on October 20, 2016

2P35LNRY3ZWGLARBNWLQEW2QPS3CTK4Z677ZZYFX4GLVNLUONYBAC

Dependencies

[2] LZVO64YG43JD7YMZSCTZNOBS5ROZA4FMPKJW2YOMHX2V5PTGBVWQC
[3] J5UVLXOK6EDIL5I7VKWH4V2QDS4DPD7FHRK6XBWSXFRQS4JKXFZQC

In channels

upstream

main

Change contents

Insertion in src/lib/Hydra/Controller/Root.pm at line 63 [3.804]

[2.21385]

    # XSRF protection: require POST requests to have the same origin.
    if ($c->req->method eq "POST") {
        my $referer = $c->req->header('Origin');
        $referer //= $c->req->header('Referer');
        my $base = $c->req->base;
        error($c, "POST requests should come from ‘$base’")
            unless defined $referer && $referer eq $base;
    }