Permalink
Browse files

Bypass referer check if Origin header is given

  • Loading branch information...
bjoerge committed Sep 5, 2012
1 parent e25d8a4 commit a91810fa030e939a5262b587a89b64285ccaa7b9
Showing with 13 additions and 1 deletion.
  1. +4 −0 lib/rack/protection/base.rb
  2. +1 −1 lib/rack/protection/json_csrf.rb
  3. +8 −0 spec/json_csrf_spec.rb
@@ -81,6 +81,10 @@ def referrer(env)
URI.parse(ref).host || Request.new(env).host
end
+ def origin(env)
+ env['HTTP_ORIGIN'] || env['HTTP_X_ORIGIN']
+ end
+
def random_string(secure = defined? SecureRandom)
secure ? SecureRandom.hex(32) : "%032x" % rand(2**128-1)
rescue NotImplementedError
@@ -16,7 +16,7 @@ class JsonCsrf < Base
def call(env)
status, headers, body = app.call(env)
if headers['Content-Type'].to_s.split(';', 2).first =~ /^\s*application\/json\s*$/
- if referrer(env) != Request.new(env).host
+ if origin(env).nil? and referrer(env) != Request.new(env).host
result = react(env)
warn env, "attack prevented by #{self.class}"
end
View
@@ -12,6 +12,14 @@
get('/', {}, 'HTTP_REFERER' => 'http://evil.com').should_not be_ok
end
+ it "accepts requests with json responses with a remote referrer when there's an origin header set" do
+ get('/', {}, 'HTTP_REFERER' => 'http://good.com', 'HTTP_ORIGIN' => 'http://good.com').should be_ok
+ end
+
+ it "accepts requests with json responses with a remote referrer when there's an x-origin header set" do
+ get('/', {}, 'HTTP_REFERER' => 'http://good.com', 'HTTP_X_ORIGIN' => 'http://good.com').should be_ok
+ end
+
it "accepts get requests with json responses with a local referrer" do
get('/', {}, 'HTTP_REFERER' => '/').should be_ok
end

0 comments on commit a91810f

Please sign in to comment.