d4708
/
qBittorrent
mirror of https://github.com/d47081/qBittorrent.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

[WebUI] relax CSRF defense. Closes #6882. 

Allow HTTP request which has neither Origin nor Referer header included
adaptive-webui-19844
Chocobo1 7 years ago
parent
b5c0d90e9c
commit
cdb8f4bc61
1 changed files with 3 additions and 3 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 6
      src/webui/abstractwebapplication.cpp

6
src/webui/abstractwebapplication.cpp
Unescape View File

@ -392,9 +392,9 @@ bool AbstractWebApplication::isCrossSiteRequest(const Http::Request &request) co @@ -392,9 +392,9 @@ bool AbstractWebApplication::isCrossSiteRequest(const Http::Request &request) co
const QString refererValue = request.headers.value(Http::HEADER_REFERER);
if (originValue.isEmpty() && refererValue.isEmpty()) {
if ((request.path == QLatin1String("/")) || (request.path == QLatin1String("/favicon.ico")))
return false; // normal request
return true;
// owasp.org recommends to block this request, but doing so will inevitably lead Web API users to spoof headers
// so lets be permissive here
return false;
}
// sent with CORS requests, as well as with POST requests

Write Preview
Loading…
Cancel
Save