Skip to content
Snippets Groups Projects

Check Origin header before accept/edit/delete

Open Check Origin header before accept/edit/delete
koomi/evaluationsportal:master into master
Open Lukas Braun requested to merge koomi/evaluationsportal:master into master
Compare
and
2 files
+ 15
2
Compare changes
  • Side-by-side
  • Inline
Files
2
util/web.py
+ 10
1
@@ -6,8 +6,9 @@ from jinja2.exceptions import TemplateNotFound
from werkzeug import Local, LocalManager, Response
from werkzeug.routing import Map, Rule
from werkzeug.exceptions import BadRequest
from werkzeug.exceptions import BadRequest, Forbidden
import sys
import os
import netaddr
@@ -117,6 +118,14 @@ def remote_is_internal_network(request):
return False
def same_origin_only(request):
try:
if request.headers['Origin'] != config.weburl:
raise Forbidden(description="Same-Origin check failed")
except KeyError:
sys.stderr.write("WARNING: No Origin header in request for protected endpoint!\n");
available_themes = set([it[1] for it in config.themes_by_url])
available_themes.add(config.default_theme)
jinja_env = Environment(loader=ThemeSupportTemplateLoader(available_themes), cache_size=0)