summaryrefslogtreecommitdiffstats
path: root/etc/inc/auth.inc
diff options
context:
space:
mode:
Diffstat (limited to 'etc/inc/auth.inc')
-rw-r--r--etc/inc/auth.inc26
1 files changed, 26 insertions, 0 deletions
diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc
index 13ca678..e7484c1 100644
--- a/etc/inc/auth.inc
+++ b/etc/inc/auth.inc
@@ -86,6 +86,32 @@ if (function_exists("display_error_form") && !isset($config['system']['webgui'][
}
}
+// If the HTTP_REFERER is something other than ourselves then disallow.
+if(!$config['system']['nohttpreferercheck']) {
+ if($_SERVER['HTTP_REFERER']) {
+ $found_host = false;
+ $hostname_me = $config['system']['hostname'] . "." . $config['system']['domain'];
+ if(stristr($_SERVER['HTTP_REFERER'], $hostname_me))
+ $found_host = true;
+ if(!empty($config['system']['webgui']['althostnames'])) {
+ $althosts = explode(" ", $config['system']['webgui']['althostnames']);
+ foreach ($althosts as $ah)
+ if(stristr($ah, $hostname_me))
+ $found_host = true;
+ }
+ $interface_list_ips = get_configured_ip_addresses();
+ foreach($interface_list_ips as $ilips) {
+ $hostname_me_ip = $config['webgui']['protocol'] . "://" . $ilips;
+ if(stristr($hostname_me_ip, $ilips))
+ $found_host = true;
+ }
+ if($found_host == false) {
+ display_error_form("501", "An HTTP_REFERER was detected other than what is defined in System -> Advanced (" . $_SERVER['HTTP_REFERER'] . "). You can disable this check if needed in System -> Advanced -> Admin.");
+ exit;
+ }
+ }
+}
+
$groupindex = index_groups();
$userindex = index_users();
OpenPOWER on IntegriCloud