From 3402071e950e76b79fa8672a1e09b70d3860f355 Mon Sep 17 00:00:00 2001
From: myvesta <38690722+myvesta@users.noreply.github.com>
Date: Sun, 14 Mar 2021 20:49:14 +0100
Subject: [PATCH] Preventing uploads from other origin

Credits to:  Fady Othman, Security Consultant # ZINAD IT
---
 web/upload/UploadHandler.php | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/web/upload/UploadHandler.php b/web/upload/UploadHandler.php
index 64004c91c..b77749abe 100755
--- a/web/upload/UploadHandler.php
+++ b/web/upload/UploadHandler.php
@@ -2,6 +2,13 @@
 
 //session_start();
 
+$hostname = exec('hostname');
+$port = $_SERVER['SERVER_PORT'];
+$expected_http_origin="https://".$hostname.":".$port;
+if ($_SERVER['HTTP_ORIGIN'] != $expected_http_origin) {
+    die ("Nope.");
+}
+
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
 // Check login_as feature