From c928c41ee1f15776df85551c8df918643e5717bd Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <edolstra@gmail.com>
Date: Thu, 20 Oct 2016 16:11:33 +0200
Subject: [PATCH] Add XSRF protection for POST requests

Some Hydra API requests were vulnerable to XSRF attacks, e.g. you
could have a form on another website using http://hydra/logout as the
form action. So we now require POST requests to come from the same
origin.

Reported by Hans-Christian Esperer.
---
 src/lib/Hydra/Controller/Root.pm | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/lib/Hydra/Controller/Root.pm b/src/lib/Hydra/Controller/Root.pm
index 1d03bb38..6353abf1 100644
--- a/src/lib/Hydra/Controller/Root.pm
+++ b/src/lib/Hydra/Controller/Root.pm
@@ -60,6 +60,15 @@ sub begin :Private {
     };
     $_->supportedInputTypes($c->stash->{inputTypes}) foreach @{$c->hydra_plugins};
 
+    # XSRF protection: require POST requests to have the same origin.
+    if ($c->req->method eq "POST") {
+        my $referer = $c->req->header('Origin');
+        $referer //= $c->req->header('Referer');
+        my $base = $c->req->base;
+        error($c, "POST requests should come from ‘$base’")
+            unless defined $referer && $referer eq $base;
+    }
+
     $c->forward('deserialize');
 
     $c->stash->{params} = $c->request->data or $c->request->params;