gramps/jarvisChat
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix: close two CSRF origin-check security gaps

Browse Source 
- Extend origin check to all /api/ requests (not just state-changing methods),
  closing the GET/HEAD/OPTIONS bypass that allowed cross-origin reads
- origin_allowed() now returns False when both Origin and Referer headers
  are absent, preventing script-initiated requests from bypassing the check
- Update AGENTS.md and README.md to document the changes
This commit is contained in:
gramps
2026-06-27 15:20:02 -07:00
parent cc1efa7a21
commit 5986c4ad86
10 changed files with 17 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
security.py
View File

@@ -156,7 +156,7 @@ def origin_allowed(request: Request) -> bool:
parsed = urlparse(referer)
ref_origin = f"{parsed.scheme}://{parsed.netloc}".rstrip("/")
return ref_origin == expected_origin or ref_origin in TRUSTED_ORIGINS
return True
return False
def is_state_changing(method: str) -> bool: