summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorCalum Lind <calumlind+deluge@gmail.com>2017-03-01 12:00:46 +0000
committerCalum Lind <calumlind+deluge@gmail.com>2017-03-01 14:35:49 +0000
commit318ab179865e0707d7945edc3a13a464a108d583 (patch)
tree34ada5d5e1dadc2184da4900349b0cc5628bdb97
parent25150f13afa82cec11214f26e159d74ec5a4258e (diff)
downloaddeluge-318ab179865e0707d7945edc3a13a464a108d583.zip
deluge-318ab179865e0707d7945edc3a13a464a108d583.tar.gz
deluge-318ab179865e0707d7945edc3a13a464a108d583.tar.bz2
[WebUI] Only accept application/json content-type requests
- Protects against CSRF (Cross-site request forgery)
-rw-r--r--deluge/ui/web/json_api.py4
1 files changed, 4 insertions, 0 deletions
diff --git a/deluge/ui/web/json_api.py b/deluge/ui/web/json_api.py
index 4b1e8ff..57ce547 100644
--- a/deluge/ui/web/json_api.py
+++ b/deluge/ui/web/json_api.py
@@ -262,6 +262,10 @@ class JSON(resource.Resource, component.Component):
Handler to take the json data as a string and pass it on to the
_handle_request method for further processing.
"""
+ if request.getHeader('content-type') != 'application/json':
+ message = 'Invalid JSON request content-type: %s' % request.getHeader('content-type')
+ raise JSONException(message)
+
log.debug("json-request: %s", request.json)
response = {"result": None, "error": None, "id": None}
response["id"], d, response["error"] = self._handle_request(request)