Skip to content
Permalink
Browse files Browse the repository at this point in the history
Merge pull request #1371 from FrenjaminBanklin/feature/api-v1-csrf-mi…
…tigation

Add Origin/Referer request header checks to old V1 API controller.
  • Loading branch information
clpetersonucf committed Apr 18, 2022
2 parents c779be9 + 222f52d commit af25911
Showing 1 changed file with 32 additions and 0 deletions.
32 changes: 32 additions & 0 deletions fuel/app/classes/controller/api.php
Expand Up @@ -11,6 +11,38 @@ class Controller_Api extends Controller_Rest

protected $_supported_formats = ['json' => 'application/json'];

public function before()
{
// bare bones CSRF mitigation
$headers = \Input::headers();
$header_origin = $headers['Origin'] ?? null;
// if Origin is missing - fail immediately
if ( ! isset($header_origin) || empty($header_origin))
{
throw new HttpServerErrorException;
}
$expected_origin = \Config::get('materia.urls.root');
// URI generation in Fuel adds a trailing slash which may be absent from the Origin header
// if it's missing, add it
if (substr($header_origin, -1) != '/')
{
$header_origin .= '/';
}

// check to make sure Origin matches the expected root URL first
if ($header_origin != $expected_origin)
{
throw new HttpServerErrorException;
}
// make sure Referer matches Origin
if (substr($headers['Referer'], 0, strlen($header_origin)) != $header_origin)
{
throw new HttpServerErrorException;
}

parent::before();
}

public function post_call($version, $format, $method)
{
$input = json_decode(Input::post('data', []));
Expand Down

0 comments on commit af25911

Please sign in to comment.