X-Git-Url: http://git.cascardo.info/?p=cascardo%2Fipsilon.git;a=blobdiff_plain;f=ipsilon%2Futil%2Fpage.py;h=eeb9ca343111b515b5bc300c122f77219108a4ed;hp=213f945f4394f4ba9cae435620a751c1caa0c07b;hb=5ebec54b30ae7cfeef98761894732f52b30d2441;hpb=8396e2c5a880042eda2c9549a9f6e9651bb68b93 diff --git a/ipsilon/util/page.py b/ipsilon/util/page.py index 213f945..eeb9ca3 100755 --- a/ipsilon/util/page.py +++ b/ipsilon/util/page.py @@ -17,11 +17,16 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . +import cherrypy from ipsilon.util.log import Log from ipsilon.util.user import UserSession from ipsilon.util.trans import Transaction from urllib import unquote -import cherrypy +try: + from urlparse import urlparse +except ImportError: + # pylint: disable=no-name-in-module, import-error + from urllib.parse import urlparse def admin_protect(fn): @@ -46,10 +51,14 @@ class Page(Log): self.default_headers = dict() self.auth_protect = False - def _compare_urls(self, url1, url2): - u1 = unquote(url1) - u2 = unquote(url2) - if u1 == u2: + def _check_referer(self, referer, url): + r = urlparse(unquote(referer)) + u = urlparse(unquote(url)) + if r.scheme != u.scheme: + return False + if r.netloc != u.netloc: + return False + if r.path.startswith(self.basepath): return True return False @@ -79,7 +88,7 @@ class Page(Log): % (cherrypy.request.method, url)) raise cherrypy.HTTPError(403) referer = cherrypy.request.headers['referer'] - if not self._compare_urls(referer, url): + if not self._check_referer(referer, url): self._debug("Wrong referer %s in request to %s" % (referer, url)) raise cherrypy.HTTPError(403)