Commit ad20a50c authored by David Haynes's avatar David Haynes 🙆

Close CSRF loophole (Closes #76)

- if you embed "/delete/memedaddy" into a page the link would get deleted
- this no longer is allowed
parent 90fb73fd
Pipeline #1256 passed with stage
in 1 minute and 22 seconds
......@@ -329,7 +329,7 @@ def delete(request, short):
url = get_object_or_404(URL, short__iexact=short)
# If the RegisteredUser is the owner of the URL
if url.owner == request.user.registereduser:
if url.owner == request.user.registereduser and request.META['HTTP_REFERER'] == request.META['HTTP_HOST']:
# remove the URL
url.delete()
# redirect to my_links
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment