From 43da9e2aa71dfa92fb3a2a778d8a80722f17e670 Mon Sep 17 00:00:00 2001
From: myvesta <38690722+myvesta@users.noreply.github.com>
Date: Sun, 15 Aug 2021 15:14:16 +0200
Subject: [PATCH] Preventing CSRF in file_manager/fm_api.php

---
 web/file_manager/fm_api.php | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/web/file_manager/fm_api.php b/web/file_manager/fm_api.php
index cf4eef82a..4a4dd9ec7 100644
--- a/web/file_manager/fm_api.php
+++ b/web/file_manager/fm_api.php
@@ -2,6 +2,17 @@
 // Init
 //error_reporting(NULL);
 
+// Preventing CSRF
+if ($_SERVER['REQUEST_METHOD']=='POST') {
+    $host_arr=explode(":", $_SERVER['HTTP_HOST']);
+    $hostname=$host_arr[0];
+    $port = $_SERVER['SERVER_PORT'];
+    $expected_http_origin="https://".$hostname.":".$port;
+    if ($_SERVER['HTTP_ORIGIN'] != $expected_http_origin) {
+        die ("Nope.");
+    }
+}
+
 header('Content-Type: application/json');
 
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");