From 55c591535cee2739c07017e37764aa950a494a16 Mon Sep 17 00:00:00 2001
From: myvesta <38690722+myvesta@users.noreply.github.com>
Date: Sun, 15 Aug 2021 14:53:16 +0200
Subject: [PATCH] Preventing all CSRF

---
 web/inc/secure_login.php | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/web/inc/secure_login.php b/web/inc/secure_login.php
index 55b17e55e..34b026959 100644
--- a/web/inc/secure_login.php
+++ b/web/inc/secure_login.php
@@ -49,3 +49,16 @@ if ($skip_login_url_check==0) {
         }
     }
 }
+
+// Preventing all CSRF
+if ($skip_login_url_check==0) {
+    if ($_SERVER['REQUEST_METHOD']=='POST') {
+        $host_arr=explode(":", $_SERVER['HTTP_HOST']);
+        $hostname=$host_arr[0];
+        $port = $_SERVER['SERVER_PORT'];
+        $expected_http_origin="https://".$hostname.":".$port;
+        if ($_SERVER['HTTP_ORIGIN'] != $expected_http_origin) {
+            die ("Nope.");
+        }
+    }
+}