diff options
author | Elias Norberg <xyzzy@kudzu.se> | 2012-03-30 00:12:38 +0200 |
---|---|---|
committer | Elias Norberg <xyzzy@kudzu.se> | 2012-04-09 18:12:59 +0200 |
commit | 519da60e0cb250aef8f2bd30f902b91bb82c4277 (patch) | |
tree | a8bc2c168df998573e75496bdcab6a11b8897e87 /xxxterm.c | |
parent | ecfc8e535d85aebdc61ccf5440b0e273da6defa3 (diff) | |
download | xombrero-519da60e0cb250aef8f2bd30f902b91bb82c4277.tar.gz |
Fix for FS#270 - Bugs with stripping referer
The referer is now checked more strictly against the host. If setting 'referer' is set to 'same-domain', it now checks it against the public-suffix, so referers can be sent between subdomains. If 'referer' is set to 'same-fqdn' (NEW) the FQDN's must match strictly.
Diffstat (limited to 'xxxterm.c')
-rw-r--r-- | xxxterm.c | 25 |
1 files changed, 23 insertions, 2 deletions
diff --git a/xxxterm.c b/xxxterm.c index ad43a2a..ac2d335 100644 --- a/xxxterm.c +++ b/xxxterm.c @@ -4388,8 +4388,12 @@ session_rq_cb(SoupSession *s, SoupMessage *msg, SoupSocket *socket, gpointer data) { SoupURI *dest; + SoupURI *ref_uri; const char *ref; + char *ref_suffix; + char *dest_suffix; + if (s == NULL || msg == NULL) return; @@ -4407,15 +4411,32 @@ session_rq_cb(SoupSession *s, SoupMessage *msg, SoupSocket *socket, "Referer"); break; case XT_REFERER_SAME_DOMAIN: + ref_uri = soup_uri_new(ref); dest = soup_message_get_uri(msg); - if (dest && !strstr(ref, dest->host)) { + ref_suffix = tld_get_suffix(ref_uri->host); + dest_suffix = tld_get_suffix(dest->host); + + if (dest && strcmp(ref_suffix, dest_suffix) != 0) { + soup_message_headers_remove(msg->request_headers, + "Referer"); + DNPRINTF(XT_D_NAV, "session_rq_cb: removing " + "referer (not same domain) (suffixes: %s - %s)\n", + ref_suffix, dest_suffix); + } + soup_uri_free(ref_uri); + break; + case XT_REFERER_SAME_FQDN: + ref_uri = soup_uri_new(ref); + dest = soup_message_get_uri(msg); + if (dest && strcmp(ref_uri->host, dest->host) != 0) { soup_message_headers_remove(msg->request_headers, "Referer"); DNPRINTF(XT_D_NAV, "session_rq_cb: removing " - "referer (not same domain) (should be %s)\n", + "referer (not same fqdn) (should be %s)\n", dest->host); } + soup_uri_free(ref_uri); break; case XT_REFERER_CUSTOM: DNPRINTF(XT_D_NAV, "session_rq_cb: setting referer " |