allow remote comments only from expected url
This commit is contained in:
parent
a72d32850b
commit
306053b1e3
@ -257,6 +257,11 @@ func (app *application) postGuestbookCommentCreateRemote(w http.ResponseWriter,
|
||||
return
|
||||
}
|
||||
|
||||
if normalizeUrl(r.Header.Get("Origin")) != normalizeUrl(website.SiteUrl) {
|
||||
app.clientError(w, http.StatusForbidden)
|
||||
return
|
||||
}
|
||||
|
||||
if !website.Guestbook.CanComment() {
|
||||
app.clientError(w, http.StatusForbidden)
|
||||
return
|
||||
|
@ -7,6 +7,7 @@ import (
|
||||
"net/http"
|
||||
"runtime/debug"
|
||||
"strconv"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"git.32bit.cafe/32bitcafe/guestbook/internal/models"
|
||||
@ -127,3 +128,12 @@ func (app *application) durationToTime(duration string) (time.Time, error) {
|
||||
result = time.Now().UTC().Add(offset)
|
||||
return result, nil
|
||||
}
|
||||
|
||||
func normalizeUrl(url string) string {
|
||||
r, f := strings.CutPrefix(url, "http://")
|
||||
if f {
|
||||
return r
|
||||
}
|
||||
r, _ = strings.CutPrefix(url, "https://")
|
||||
return r
|
||||
}
|
||||
|
Loading…
x
Reference in New Issue
Block a user