[Owncloud] Cross-site request forgery protection
Florian Hülsmann
fh at cbix.de
Fri Jun 29 23:36:39 UTC 2012
Just found out that installation process fails when I disable HTTP
referer URL. This is because of CSRF protection in lib/base.php which
checks for the referer in HTTP headers.
Would it be possible to do CSRF protection without requiring the browser
to send the referer header?? I'm not familiar with CSRF, but I remember
having seen something like CSRF protection tokens in HTTP headers on
other sites/web apps, which we don't have in ownCloud (do we?). Maybe
that's a way to go...
Florian
Am 13.06.2012 23:01, schrieb Thomas Tanghus:
> On Wednesday 13 June 2012 22:40 Frank Karlitschek wrote:
>> Very cool!!
>>
>> do you think it´s possible to backport it to stable4?
>
> It's probably easiest to copy/paste it ;-) I'll have a look at it tomorrow.
>
--
Florian Hülsmann
<fh at cbix.de>
http://cbix.de
More information about the Owncloud
mailing list