fanbinit/rhymix
1
0
Fork 0
mirror of https://github.com/Lastorder-DC/rhymix.git synced 2026-01-06 18:21:39 +09:00
Code Issues Projects Releases Packages Wiki Activity

Perform CSRF check for getLoginStatus separately

Browse source
This commit is contained in:
Kijin Sung 2022-10-20 16:56:17 +09:00
parent ed131897c5
commit ed649fb58c
2 changed files with 5 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

5
modules/member/member.model.php
View file

@ -183,7 +183,10 @@ class memberModel extends member
$origin = strval(($_SERVER['HTTP_ORIGIN'] ?? '') ?: ($_SERVER['HTTP_REFERER'] ?? ''));
if ($origin !== '' && $origin !== 'null' && !Rhymix\Framework\URL::isInternalURL($origin))
{
throw new Rhymix\Framework\Exceptions\SecurityViolation();
$this->setError(-1);
$this->setMessage('msg_security_violation');
$this->add('errorDetail', 'ERR_CSRF_INVALID_ORIGIN');
return;
}
// Add CORS restriction