d4708/qBittorrent
1
0
Fork 0
mirror of https://github.com/d47081/qBittorrent.git synced 2025-01-11 07:18:08 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #6887 from Chocobo1/csrf_relax

Browse Source 
[WebUI] relax CSRF defense. Closes #6882.
This commit is contained in:
sledgehammer999 2017-06-14 02:37:33 +03:00 committed by GitHub
commit fd05f5dec5
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/webui/abstractwebapplication.cpp
View File

@ -392,9 +392,9 @@ bool AbstractWebApplication::isCrossSiteRequest(const Http::Request &request) co
const QString refererValue = request.headers.value(Http::HEADER_REFERER); const QString refererValue = request.headers.value(Http::HEADER_REFERER);
if (originValue.isEmpty() && refererValue.isEmpty()) { if (originValue.isEmpty() && refererValue.isEmpty()) {
if ((request.path == QLatin1String("/")) || (request.path == QLatin1String("/favicon.ico"))) // owasp.org recommends to block this request, but doing so will inevitably lead Web API users to spoof headers
return false; // normal request // so lets be permissive here
return true; return false;
} }
// sent with CORS requests, as well as with POST requests // sent with CORS requests, as well as with POST requests