From 8a60b257a2220cb12b36643c68b034a9a7f91676 Mon Sep 17 00:00:00 2001
From: Anton Reutov <a.reutov@outlook.com>
Date: Tue, 27 Jul 2021 14:56:35 +0300
Subject: [PATCH] Preventing uploads from other origin

---
 web/upload/UploadHandler.php | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/web/upload/UploadHandler.php b/web/upload/UploadHandler.php
index aedd747ca..515a885b9 100755
--- a/web/upload/UploadHandler.php
+++ b/web/upload/UploadHandler.php
@@ -2,6 +2,13 @@
 
 //session_start();
 
+$hostname = exec('hostname');
+$port = $_SERVER['SERVER_PORT'];
+$expected_http_origin="https://".$hostname.":".$port;
+if ($_SERVER['HTTP_ORIGIN'] != $expected_http_origin) {
+    die ("Nope.");
+}
+
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
 // Check login_as feature