public/mailcow-dockerized
1
0
Fork 0
mirror of https://github.com/mailcow/mailcow-dockerized.git synced 2025-12-13 18:06:01 +00:00
Code Issues Releases Wiki Activity

[Web] use SEC_FETCH_DEST header instead of Referer to block api requests

Browse Source
This commit is contained in:
FreddleSpl0it
2024-04-03 11:43:48 +02:00
parent 0d09c86c12
commit 3aee2b6cf5
1 changed files with 4 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
data/web/json_api.php
View File

@@ -47,12 +47,10 @@ function api_log($_data) {
} }
} }
// deny requests from /SOGo locations // Block requests not intended for direct API use by checking the 'Sec-Fetch-Dest' header.
if (isset($_SERVER['HTTP_REFERER'])) { if (isset($_SERVER['HTTP_SEC_FETCH_DEST']) && $_SERVER['HTTP_SEC_FETCH_DEST'] !== 'empty') {
if (strpos(strtolower($_SERVER['HTTP_REFERER']), '/sogo') !== false) { header('HTTP/1.1 403 Forbidden');
header('HTTP/1.1 403 Forbidden'); exit;
exit;
}
} }
if (isset($_GET['query'])) { if (isset($_GET['query'])) {