projects / invirt/packages/invirt-web.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Require invirt-web POSTs to have proper referers
[invirt/packages/invirt-web.git] / code / view.py
diff --git a/code/view.py b/code/view.py
index 5f32874..51f19a5 100644 (file)
--- a/code/view.py
+++ b/code/view.py
@@ -123,6 +123,8 @@ def require_POST():
     if cherrypy.request.method != "POST":
         raise cherrypy.HTTPError(405,
                                  "You must submit this request with POST")
+    if not cherrypy.request.headers.get('Referer', '').startswith('https://' + config.web.hostname):
+        raise cherrypy.HTTPError(403, "This form is only usable when submitted from another page on this site. If you receive this message in error, check your browser's Referer settings.")
 
 cherrypy.tools.require_POST = cherrypy.Tool('on_start_resource',
                                             require_POST, priority=150)
Unnamed repository; edit this file 'description' to name the repository.