mirrors/deluge
1
0
Fork 0
mirror of https://git.deluge-torrent.org/deluge synced 2025-04-20 03:24:54 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

[WebUI] Only accept application/json content-type requests

Browse source 
- Protects against CSRF (Cross-site request forgery)
This commit is contained in:
Calum Lind 2017-03-01 12:00:46 +00:00
parent 25150f13af
commit 318ab17986
1 changed files with 4 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
deluge/ui/web/json_api.py
View file

@ -262,6 +262,10 @@ class JSON(resource.Resource, component.Component):
Handler to take the json data as a string and pass it on to the
_handle_request method for further processing.
"""
if request.getHeader('content-type') != 'application/json':
message = 'Invalid JSON request content-type: %s' % request.getHeader('content-type')
raise JSONException(message)
log.debug("json-request: %s", request.json)
response = {"result": None, "error": None, "id": None}
response["id"], d, response["error"] = self._handle_request(request)