Menu
▾
▴
#2340 More Fine-grained referer (cross site scripting) check
At the LLL project we have set up apache gateways to
webmin on the same server where our students
(untrusted ;-) ) have accounts and personal web
pages.
So we want to set up the referers in such a way that
a reference from https://www.ourserver.lu/WebMin/ is
allowed, but a reference from
https://www.ourserver.lu/~littlehax0r/ is not.
The patch attached allows to match referers against
prefixes (including directories), in addition to just
host names
Moreover, it leaves port numbers in the site names,
to prevent a similar attack with redirects that go
directly to port 10000 rather than through the Apache
proxy. Thus a referer from
http://www.ourserver.lu:10000/ would be ok, but one
from http://www.ourserver.lu/~littlehax0r not
Patch to make referer check more picky