Make host validation not depend on CSRF being enabled (see #468)
This commit is contained in:
parent
90686f30ce
commit
c0c2ba0b13
|
@ -68,9 +68,9 @@
|
|||
|
||||
2.3.2. DNS Rebinding Protection
|
||||
|
||||
If CSRF protection is enabled, additional check is being made on each RPC
|
||||
request to make sure that the client sending the request does so using
|
||||
one of the allowed hostnames by which RPC server is meant to be available.
|
||||
Additional check is being made on each RPC request to make sure that the
|
||||
client sending the request does so using one of the allowed hostnames by
|
||||
which RPC server is meant to be available.
|
||||
|
||||
If host whitelisting is enabled (which is true by default), Transmission
|
||||
inspects the "Host:" HTTP header value (with port stripped, if any) and
|
||||
|
|
|
@ -719,7 +719,6 @@ handle_request (struct evhttp_request * req, void * arg)
|
|||
{
|
||||
handle_upload (req, server);
|
||||
}
|
||||
#ifdef REQUIRE_SESSION_ID
|
||||
else if (!isHostnameAllowed (server, req))
|
||||
{
|
||||
char * const tmp = tr_strdup_printf (
|
||||
|
@ -736,6 +735,7 @@ handle_request (struct evhttp_request * req, void * arg)
|
|||
send_simple_response (req, 421, tmp);
|
||||
tr_free (tmp);
|
||||
}
|
||||
#ifdef REQUIRE_SESSION_ID
|
||||
else if (!test_session_id (server, req))
|
||||
{
|
||||
const char * sessionId = get_current_session_id (server);
|
||||
|
|
Loading…
Reference in New Issue