mirror
/
transmission
mirror of https://github.com/transmission/transmission
1
0
Fork 0
Code Issues Releases Wiki Activity

Make host validation not depend on CSRF being enabled (see #468)

This commit is contained in:
Mike Gelfand 2018-01-17 23:34:40 +03:00
parent 90686f30ce
commit c0c2ba0b13
2 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
extras/rpc-spec.txt
View File

@ -68,9 +68,9 @@
2.3.2. DNS Rebinding Protection
If CSRF protection is enabled, additional check is being made on each RPC
request to make sure that the client sending the request does so using
one of the allowed hostnames by which RPC server is meant to be available.
Additional check is being made on each RPC request to make sure that the
client sending the request does so using one of the allowed hostnames by
which RPC server is meant to be available.
If host whitelisting is enabled (which is true by default), Transmission
inspects the "Host:" HTTP header value (with port stripped, if any) and

2
libtransmission/rpc-server.c
View File

@ -719,7 +719,6 @@ handle_request (struct evhttp_request * req, void * arg)
{
handle_upload (req, server);
}
#ifdef REQUIRE_SESSION_ID
else if (!isHostnameAllowed (server, req))
{
char * const tmp = tr_strdup_printf (
@ -736,6 +735,7 @@ handle_request (struct evhttp_request * req, void * arg)
send_simple_response (req, 421, tmp);
tr_free (tmp);
}
#ifdef REQUIRE_SESSION_ID
else if (!test_session_id (server, req))
{
const char * sessionId = get_current_session_id (server);