project Websites / videos.bentasker.co.uk avatar

Websites / videos.bentasker.co.uk: b73752c4

VID-11 insert basic referrer check.

VID-11 insert basic referrer check.

If the HTTP {{referer}} header is present, ensure it's domain matches that specified in the query string. Deny access if they differ

Commit b73752c4.

Authored 2019-04-16T17:49:15.000+01:00 by B Tasker in project Websites / videos.bentasker.co.uk

+41 lines -0 lines

Changes

diff --git a/resources/tokenisation/minter/token_gen.lua b/resources/tokenisation/minter/token_gen.lua
--- a/resources/tokenisation/minter/token_gen.lua
+++ b/resources/tokenisation/minter/token_gen.lua
# @@ -44,6 +44,20 @@ function table.contains(table, element)
# end
#
#
# +function strSplit(delim,str)
# + -- From https://snippets.bentasker.co.uk/page-1705231204-Split-string-on-Delimiter-LUA.html
# + local t = {}
# +
# + for substr in string.gmatch(str, "[^".. delim.. "]*") do
# + if substr ~= nil and string.len(substr) > 0 then
# + table.insert(t,substr)
# + end
# + end
# +
# + return t
# +end
# +
# +
#
# local function sendSuccessful(tok,expires,debug)
# -- response format should be
# @@ -75,6 +89,27 @@ end
#
#
#
# +local function check_referrer(referrer,httpref,permitted)
# +
# +
# + local refsplit = strSplit("/",referrer)
# + local refdomain = refsplit[2]
# +
# + -- First, if a HTTP referrer header has been included in the request (not mandatory)
# + -- check the domain matches the one submitted in the query string
# + if httpref ~= nil
# + then
# + local hsplit = strSplit("/",httpref)
# + if hsplit[2] ~= refdomain
# + then
# + return false
# + end
# + end
# +
# +
# + return true
# +end
# +
# -- Function main
#
# -- get some details from the request
# @@ -112,6 +147,12 @@ then
# return
# end
#
# +if check_referrer(referer,httpref,permitted_referrers) ~= True
# +then
# + sendFailed("Referred from unauthorised source")
# + return
# +end
# +
#
#
# -- Calculate when the token should expire
#