fix(csrf): handle X-Forwarded-Host and parse origin as URL
This commit is contained in:
@@ -16,7 +16,6 @@ func VerifyOrigin(next http.Handler) http.Handler {
|
|||||||
if origin == "" {
|
if origin == "" {
|
||||||
referer := r.Header.Get("Referer")
|
referer := r.Header.Get("Referer")
|
||||||
if referer == "" {
|
if referer == "" {
|
||||||
// If neither is present, and it's a POST/PUT/DELETE, reject it (strict policy)
|
|
||||||
http.Error(w, "Missing Origin or Referer header", http.StatusForbidden)
|
http.Error(w, "Missing Origin or Referer header", http.StatusForbidden)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
@@ -29,12 +28,21 @@ func VerifyOrigin(next http.Handler) http.Handler {
|
|||||||
origin = refURL.Scheme + "://" + refURL.Host
|
origin = refURL.Scheme + "://" + refURL.Host
|
||||||
}
|
}
|
||||||
|
|
||||||
|
originURL, err := url.Parse(origin)
|
||||||
|
if err != nil {
|
||||||
|
http.Error(w, "Invalid Origin header", http.StatusForbidden)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
host := r.Host
|
host := r.Host
|
||||||
// If origin doesn't match host (accounting for potential schema prefixes)
|
if forwardedHost := r.Header.Get("X-Forwarded-Host"); forwardedHost != "" {
|
||||||
|
host = forwardedHost
|
||||||
|
}
|
||||||
|
|
||||||
expectedHTTP := "http://" + host
|
expectedHTTP := "http://" + host
|
||||||
expectedHTTPS := "https://" + host
|
expectedHTTPS := "https://" + host
|
||||||
|
|
||||||
if origin != expectedHTTP && origin != expectedHTTPS {
|
if originURL.Scheme+"://"+originURL.Host != expectedHTTP && originURL.Scheme+"://"+originURL.Host != expectedHTTPS {
|
||||||
http.Error(w, "Cross-Site Request Forgery (CSRF) origin mismatch", http.StatusForbidden)
|
http.Error(w, "Cross-Site Request Forgery (CSRF) origin mismatch", http.StatusForbidden)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user