oci/zeronet
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Use host to check same origin if referrer looks trimmed to host

Browse source
This commit is contained in:
shortcutme 2019-10-28 16:41:08 +01:00
parent e1f73697ff
commit 270f3e9ffd
No known key found for this signature in database
GPG key ID: 5B63BAE6CB9613AE
1 changed files with 12 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
src/Ui/UiRequest.py
View file

@ -552,8 +552,18 @@ class UiRequest(object):
def isSameOrigin(self, url_a, url_b): def isSameOrigin(self, url_a, url_b):
if not url_a or not url_b: if not url_a or not url_b:
return False return False
origin_a = re.sub("http[s]{0,1}://(.*?/.*?/).*", "\\1", url_a)
origin_b = re.sub("http[s]{0,1}://(.*?/.*?/).*", "\\1", url_b) url_a = url_a.replace("/raw/", "/")
url_b = url_b.replace("/raw/", "/")
origin_pattern = "http[s]{0,1}://(.*?/.*?/).*"
is_origin_full = re.match(origin_pattern, url_a)
if not is_origin_full: # Origin looks trimmed to host, require only same host
origin_pattern = "http[s]{0,1}://(.*?/).*"
origin_a = re.sub(origin_pattern, "\\1", url_a)
origin_b = re.sub(origin_pattern, "\\1", url_b)
return origin_a == origin_b return origin_a == origin_b
# Return {address: 1Site.., inner_path: /data/users.json} from url path # Return {address: 1Site.., inner_path: /data/users.json} from url path