686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
|
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
|
+
+
+
+
-
+
+
+
+
|
}
return zRef;
}
/*
** Return true if the current request is coming from the same origin.
**
** If the request comes from a different origin and bErrorLog is true, then
** put a warning message on the error log as this was a possible hack
** attempt.
*/
int cgi_same_origin(void){
int cgi_same_origin(int bErrorLog){
const char *zRef;
char *zToFree = 0;
int nBase;
int rc;
if( g.zBaseURL==0 ) return 0;
zRef = P("HTTP_REFERER");
if( zRef==0 ) return 0;
if( strchr(zRef,'%')!=0 ){
zToFree = strdup(zRef);
dehttpize(zToFree);
zRef = zToFree;
}
nBase = (int)strlen(g.zBaseURL);
if( fossil_strncmp(g.zBaseURL,zRef,nBase)!=0 ){
rc = 0;
}else if( zRef[nBase]!=0 && zRef[nBase]!='/' ){
rc = 0;
}else{
rc = 1;
}
if( rc==0 && bErrorLog ){
fossil_errorlog("warning: POST from different origin");
}
fossil_free(zToFree);
return rc;
}
/*
** Return true if the current CGI request is a POST request
*/
|
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
|
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
|
-
+
|
** 1: Request comes from the same origin
** 2: (1) plus it is a POST request
** 3: (2) plus there is a valid "csrf" token in the request
*/
int cgi_csrf_safe(int securityLevel){
if( g.okCsrf<0 ) return 0;
if( g.okCsrf==0 ){
if( !cgi_same_origin() ){
if( !cgi_same_origin(1) ){
g.okCsrf = -1;
}else{
g.okCsrf = 1;
if( cgi_is_post_request() ){
g.okCsrf = 2;
if( fossil_strcmp(P("csrf"), g.zCsrfToken)==0 ){
g.okCsrf = 3;
|